Phishing attacks can be executed through various means, such as SMS and phone calls, but the most prevalent method involves sending victims emails containing malicious attachments.
These may come in various forms, but they most often belong to one of the following categories: executable files, office documents, archives, PDFs, or links.
Let’s take a closer look at these types and examine examples of recent phishing attacks that utilize such malware delivery methods.
1. Executable Files
Using an executable email attachment is the simplest, yet the most obvious way of conducting a phishing attack. A bare malicious .exe file not only raises an alarm in the person who comes across it, but also is likely to trigger a security system.
To make executables a little less suspicious, threat actors may disguise them as legitimate documents, images, or software updates, using innocuous-sounding names like “A financial report” or “invoice”.
Most frequently, these files come with corresponding emails that appear to be from a reputable source, like a bank or a software vendor.
Attackers may employ alternative executable types to trick a potential victim without sufficient computer knowledge into opening them. These include .msi, .dll, and .scr files, which, despite the use of different extensions, operate similarly to .exe ones.
Example:
Let’s analyze a sample of a phishing executable in a sandbox. In this example, we can observe how the AgentTesla malware is delivered on the system via an .exe file disguised as a PDF one.
It has a fake name “BANK SWIFT.pdf____”, which may be sufficient to confuse a potential victim and get them to run it.
Start analyzing suspicious files and links right away. Sign up for a free ANY.RUN account now!
2. Office Documents
The next common type of phishing attack involves distributing Word, Excel, PowerPoint documents with embedded malicious macros, scripts, or exploits.
Once opened, the malicious content within the document is executed, often leading to the installation of malware or the theft of sensitive information.
Example:
In this example, sandbox analysis reveals the use of the CVE-2017-11882, a vulnerability that allows attackers to execute malicious code by exploiting a flaw in Microsoft Equation Editor.
By opening the infected Excel file, the victim triggers the execution chain, which eventually leads to the infection with AgentTesla.
3. Archives
Archiving in phishing attacks is mostly used as a basic means of evading detection.
Putting malware inside a .ZIP, .RAR, or any other archive format file allows threat actors to bypass security solutions that may not scan compressed files as thoroughly as uncompressed ones.
Criminals may also use various compression formats, encryption, or password protection to make it more difficult for security researchers and automated tools to analyze the contents of the archive.
By hiding the malicious payload within an archive, the malware has a higher chance of successfully infiltrating the target system.
Example:
In this Attack, the sandbox lets us safely analyze and detonate an archive containing a malicious executable.
Notice how the archive and the file it contains are named “Documento_Fiscal_Detallado”, which once again shows how attackers use legitimate sounding names to fool victims.
We can see how, the system gets infected with AsyncRAT after launching the archived executable.
4. PDFs
The primary way of utilizing PDFs in phishing is by embedding them with a malicious link. These links are usually crafted to bear a resemblance to legitimate documents.
By clicking on the link inside the PDF, users trigger the next attack stage, which may involve stealing their login credentials, personal information, or eventually concluding with malware being dropped on their system.
Example:
Here is an example of a PDF file containing a phishing link. In this case, by clicking on this link, the user downloads an archive, which contains a malicious executable. The final stage of the attack is the deployment of the DBatLoader that proceeds to drop its payloads.
5. URLs
Finally, an extremely widespread phishing method is based on malicious links sent as part of emails. To make these URLs appear more genuine, cybercriminals often use URL shortening, typosquatting, or homograph attacks to create malicious links.
After clicking on it, the victim gets redirected to a fraudulent website that may steal their login credentials, personal information, or get them to download malware and execute it.
Example:
This sandbox session shows a popular phishing attack that attempts to trick users into entering their password on a fake MS Outlook page. Attackers are also abusing the legitimate IPFS.io service to host their page to make it appear more trustworthy.
Analyze Phishing in ANY.RUN
ANY.RUN’s cloud-based sandbox is ideal for analyzing phishing attacks, with fully-interactive Windows and Linux VM environments.
Engage with uploaded files and URLs to trace the attack, perform all necessary investigation activities, and gain a detailed view of network traffic, registry changes, active processes, TTPs, and more.
Get 6 Months of ANY.RUN Malware Sandbox Paid Plans for Free before May 31st - Register Here