Incident Response, TDR, Threat Management

Report: Banking trojans and weaponized Office docs month’s top attack vectors


Researchers at Invincea report that banking trojans delivered by weaponized Office documents were the top attack vector for the month of October.

"Weaponized docs are still being used because the attackers know that they are an effective means of delivering malware. It simply works. This attack method is far outpacing other deliver methods such as exploit kits and malvertising," Invincea's Director of Security Analytics Patrick Belcher told via email. 

Belcher said these documents can essentially install anything the attacker wishes, such as an HTTP web server. 

Miscreants use carefully crafted spear phishing emails with malicious Word and Excel documents to deliver trojans, malware and ransomware, according to Invincea's Data Breach Prevention Series: Weaponized Documents are Dominant Malware Delivery Vector.

Researchers noticed an increase in the number of spear-phishing attacks using weaponized Office documents to deliver trojans such as Dridex and Shifu in October, according to the report. The volume of weaponized Office document delivery of malware far outpaced other threats from malvertising, ransomware and other crime-ware trojans combined, the report said.

Despite international law enforcement efforts to dismantle the Dridex infrastructure, the malware resurfaced in early October when it began targeting French banking users, according to Invincea's report.  

Researchers also observed Shifu attacks that installed a fully functional version of the Apache web server via the malicious Office documents as well. The version of Apache used is believed to compromise banking credentials by intercepting and interpreting SSL transactions.

In addition to the banking trojans, researchers noted in the report that ransomware was a prominent threat as well.

“A multitude of business websites, typically running slideshow plug-ins were compromised in order to redirect visitors to exploit kits delivering crippling CryptoWall3 ransomware,” researchers said in the report.

While there was an overall drop in instances of malvertising attacks, the campaigns researchers spotted were more targeted than ever.

During the month, major malvertising attacks in Germany and Poland affected tens of thousands of users, the report said, including an attack against Poland's largest news website on the day of the county's national elections, which could have infected thousands more users.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.