Hackers often attack Secure Email Gateways (SEGs) to bypass security measures and gain access to private communications.
Once they have attacked SEGs, they can snoop on emails, change them or even start a phishing scheme that will spread malware and steal sensitive information from the organizations involved.
Cybersecurity researchers at Cofense recently discovered that hackers have been actively attacking and bypassing the SEGs with sophisticated malware exploits.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Technical Analysis
Secure Email Gateways (SEGs) have a vulnerability that threat actors are actively exploiting by sending them corrupted .zip archives.
These archives contain HTML files with .Mpeg extensions that enable obfuscation of harmful content from SEG scans.
.webp)
On Outlook or Windows Explorer, where the hidden nature of true HTML is exposed, it becomes possible to execute embedded malware like FormBook.
This method has evaded detection on Cisco’s IronPort system and similar products, which show a major email filter system flaw.
Hackers disseminated phishing emails well-tailored for Spanish-speaking employees at international financial firms. As this attack targets employees in Spain working for large international banks using carefully crafted phishing emails with fake invoices attached.
Download Free Cybersecurity Planning Checklist 2024 (PDF) – Download Here
While 7zip and PowerISO recognize the file as .mpg (but when opened, it is unable to play), besides this, SEGs and Windows built-in tools perceive it as HTML.
Consequently, this inconsistency in file parsing between various systems allows undetected malware to reach potential victims. The malicious .zip archive exploits these inconsistencies.
SEGs and typical archive software, such as Power ISO and 7zip, can identify the content as an .Mpeg file, while Windows Explorer and Outlook recognize it correctly as HTML.
.webp)
In this case, the archive’s manipulated header and footer information causes this difference. The header shows that it is a .Mpeg file whereas the footer discloses its true HTML nature.
According to the report, This method allows malware to go undetected while under both SEG inspection and casual viewing, consequently revealing significant security risks in parsing files through email filters.
When one opens the HTML file, it delivers another .zip archive that carries a .cmd file, which is a .cab folder.
This contains a DBat Loader executable that can be downloaded and run inside the memory space of FormBook malware.
This particular variant of FormBook calls out to different C2 servers with multiple paths compared to standard versions.
Among the top 10 information stealers is FormBook, which can double up as a keylogger, File Manager, Clipboard Manager, Screenshot Grabber, Network Traffic Analyzer, and Browser Data thief. It may also be able to download and launch additional malware, including ransomware.
Download Free Cybersecurity Planning Checklist 2024 (PDF) – Download Here