Phishing attacks can be executed through various means, such as SMS and phone calls, but the most prevalent method involves sending victims emails containing malicious attachments.
Let's take a closer look at these types and examine examples of recent phishing attacks that utilize such malware delivery methods.
Using an executable email attachment is the simplest, yet the most obvious way of conducting a phishing attack.
Attackers may employ alternative executable types to trick a potential victim without sufficient computer knowledge into opening them.
Let's analyze a sample of a phishing executable in a sandbox.
The next common type of phishing attack involves distributing Word, Excel, PowerPoint documents with embedded malicious macros, scripts, or exploits.
Sandbox analysis reveals the use of the CVE-2017-11882, a vulnerability that allows attackers to execute malicious code by exploiting a flaw in Microsoft Equation Editor.
Archiving in phishing attacks is mostly used as a basic means of evading detection.
Putting malware inside a.ZIP,.RAR, or any other archive format file allows threat actors to bypass security solutions that may not scan compressed files as thoroughly as uncompressed ones.
In this Attack, the sandbox lets us safely analyze and detonate an archive containing a malicious executable.
The primary way of utilizing PDFs in phishing is by embedding them with a malicious link.
By clicking on the link inside the PDF, users trigger the next attack stage, which may involve stealing their login credentials, personal information, or eventually concluding with malware being dropped on their system.
Here is an example of a PDF file containing a phishing link.
The final stage of the attack is the deployment of the DBatLoader that proceeds to drop its payloads.
Finally, an extremely widespread phishing method is based on malicious links sent as part of emails.
To make these URLs appear more genuine, cybercriminals often use URL shortening, typosquatting, or homograph attacks to create malicious links.
This sandbox session shows a popular phishing attack that attempts to trick users into entering their password on a fake MS Outlook page.
Attackers are also abusing the legitimate IPFS.io service to host their page to make it appear more trustworthy.
ANY.RUN's cloud-based sandbox is ideal for analyzing phishing attacks, with fully-interactive Windows and Linux VM environments.
Engage with uploaded files and URLs to trace the attack, perform all necessary investigation activities, and gain a detailed view of network traffic, registry changes, active processes, TTPs, and more.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 15 May 2024 17:45:07 +0000