BlueHat India 2024: Phishing Landscape Evolution: Unveiling Layers of Email Malware Delivery

In the ever-evolving landscape of cybersecurity, threat actors continually advance their tactics, employing sophisticated techniques to compromise systems. In this research session, Preksha Saxena and Yashvi Shah, Security Researchers at McAfee, delve into a complex multi-stage campaign that transcends conventional file type limitations, showcasing attackers' versatility in using various formats such as VBS, PDFs, and more for payload delivery. Following Microsoft's implementation of macro-blocking measures for Internet-delivered Office files, threat actors have been compelled to devise alternative methods for distributing malware through email.

Our investigation centers on a generic file-based attack vector initiated through email delivery. These campaigns employ reply chain emails, creating the impression of responding to previous conversations to increase user engagement. As we explore the campaign's intricacies, we examine the methods attackers use to obscure code and leverage PowerShell, transcending file type boundaries. Threat actors strive to bypass the Windows Antimalware Scan Interface (AMSI) for undetected execution of malicious activities via script files. The final phase of the campaign involves deploying payloads ranging from Remote Access Trojans (RATs) to Ransomware. This versatility extends beyond initial malware, now distributing an array of threats such as Agent Tesla, AsyncRAT, Formbook, RemcosRAT, GuLoader, and more, showcasing the broad impact of the attackers' evolving tactics.

This research aims to provide a holistic analysis of the techniques employed by attackers and enhance understanding of their strategies across different file formats delivered as email attachments. The study focuses on the intricate obfuscation of subsequent script files and illustrates the injection of highly potent malware into legitimate Windows processes, evading security checks. The objective is to strengthen cybersecurity measures against a diverse range of sophisticated threats.