OLE attacks spiked in March and are trending strong in April.
OLE attacks spiked in March and are trending strong in April.

An increasing number of attacks using OLE packages has been spotted – giving users of Microsoft Office one more reason to be wary of what they click on when prompted by their computer.

Object Linking and Embedding (OLE) package attacks are similar to those that use weaponized Word documents that require the victim to enable macros in order for the payload to be delivered, a PhishMe report stated. The difference is: instead of being encouraged to click on an 'enable macros' button, the target is pushed via social engineering tricks to double-click on an icon representing various types of Office products.

“This method adds to another iteration of techniques threat actors use to evade anti-analysis and sandbox environments and to successfully infect the intended recipient,” the report said.

Brendan Griffin, PhishMe's threat intelligence manager, told SC Media that the primary malware being delivered is Ursnif botnet malware, and while it has been used in the past to deliver banking trojans, Ursnif is a flexible attacker capable of delivering different types of payloads – but theft of private information has always been one of its strengths.

“Its keylogging functionality often goes live as soon as the malware is in place," Griffin said. "However, one advantage this malware gains for threat actors is its adaptability. Ursnif can be used for a number of purposes and inherits code from other robust malware including financial crimes malware.”

Ursnif also has a reconnaissance capability, Griffin noted, saying it can be used to gather additional information about a newly infected system so the hacker can figure out the next phase of an attack.

PhishMe researchers believe the recent uptick in OLE use is being driven by several factors, including the fact that Office users and security pros are catching on to the macros trick and because Office is an integral part of the operations at many businesses.

“Companies cannot block Office documents at the perimeter in the same way they can executable Windows applications because businesses rely on Office,” Griffin said. "Malware distributors know this and are finding more and more ways to deliver malware by abusing those essential, everyday tools."

OLE package attacks perked up in December 2016, disappeared in January and peaked in March. So far April is also proving to be a banner month with PhishMe projecting about the same number of attacks as in March. The current batch of attacks are being pushed via phishing using what Griffin described as a “soft targeting” methodology.

“This is a tactic in which the threat actor crafts a phishing message that might appeal more to a class or role rather than to a specific individual, but is also not generic enough to reach a wide audience. We have also seen some degree of internationalization through the use of various languages to deliver the Ursnif botnet malware,” Griffin noted.

Due to the style of the attack, the burden of defense will fall on the frontline workers who are most likely to receive the initial email. That means these people have to be trained and empowered by their employer to understand the role they are playing in defending the attack.

“Companies should also harness this human expertise to spot what technical controls may miss as a source of intelligence by encouraging their employees to report suspicious emails to security professionals who are prepared and capable of responding appropriately,” Griffin concluded.