Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.
Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.
To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.
Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.
LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator. Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.
Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”