Phishing attacks can be accomplished via different standards, such as SMS and phone calls, but the numerous general procedure implicates transmitting victims' emails including negative attachments. These may arrive in various formations, but they usually belong to one of the subsequent classifications: executable files, office documents, archives, PDFs, or connections.

Let’s take a closer look at these types and concern examples of current phishing attacks that use such malware delivery procedures.

1. Executable Files

Using an executable email extension is the easiest, yet the most prominent method of operating a phishing attack. A basic opposing .exe file not only presents a notice to the individual who reaches across it but also makes it possible to activate a safety system. To create executables that a slightly suspicious, threat actors may conceal them as honest documents, photographs, or software updates, utilizing innocuous-sounding names like “A economic report” or “invoice”.

Most often, these files come with related emails that seem to be from a respected authority, like a bank or a software agent. Assailants may use alternative executable types to fool a possible target without adequate computer understanding into spreading them. These contain .msi, .dll, and .scr files, which, despite the benefit of other attachments, work likewise to .exe ones.

Example:

Let’s examine a sample of a phishing executable in a sandbox. In this example, we can watch how the AgentTesla malware is provided on the system via an .exe file concealed as a PDF one. It has a fake name “BANK SWIFT.pdf____”, which may be adequate to complicate a likely target and get them to handle it.

2. Office Documents

The next typical type of phishing attack implicates spreading Word, Excel, and PowerPoint documents with implanted nasty macros, scripts, or exploits. Once extended, the hostile content within the document is implemented, usually leading to the induction of malware or the heist of susceptible details.

Example:

In this example, sandbox research shows the use of CVE-2017-11882, an exposure that permits assailants to run hostile code by using a defect in Microsoft Equation Editor. By spreading the infected Excel file, the victim initiates the implementation chain, which ultimately guides to the condition with AgentTesla.

3. Archives

Archiving in phishing attacks is primarily utilized as the basic norm of evading detection. Placing malware inside a .ZIP, .RAR, or any other library configuration file permits threat actors to avoid protection resolutions that may not examine condensed files as simply as uncompressed ones.

Offenders may also use different reduction forms, encryption, or password security to make it more challenging for protection investigators and automatic tools to examine the contents of the archive. By hiding the nasty payload within an archive, the malware has a more elevated chance of successfully penetrating the marking system.

Example:

In this Attack, the sandbox lets us safely examine and discharge an archive including a nasty executable. Witness how the archive and the file it includes are named “Documento_Fiscal_Detallado”, which once also reveals how attackers abuse legitimate-sounding names to trick targets. We can see how the system gets contaminated with AsyncRAT after establishing the archived executable.

4. PDFs

The prior method of using PDFs in phishing is by implanting them with a hostile relationship. These relations are usually prepared to handle a similarity to honest documents. By clicking on the link inside the PDF, users begin the next attack phase, which may affect stealing their login details, and confidential data, or ultimately terminating with malware being settled on their system.

Example:

Here is an example of a PDF file including a phishing link. In this issue, by clicking on this link, the user downloads an archive, which includes a negative executable. The last step of the attack is the deployment of the DBatLoader which moves to lower its shipments.

5. URLs

Finally, an incredibly widespread phishing technique is founded on hostile links mailed as part of emails. To make these URLs seem more natural, cybercriminals often use URL shortening, typosquatting, or homograph attacks to form negative links. After clicking on it, the target gets diverted to a scheming website that may rob their login credentials, and confidential details, or get them to download malware and implement it.

Example:

This sandbox session reveals a widespread phishing attack that tries to mislead users into entering their password on a fake MS Outlook page. Attackers are also manipulating the honest IPFS.io service to host their page to make it seem more reliable.

Examining Phishing Attacks in ANY.RUN: A Detailed Analysis

ANY.RUN’s cloud-based sandbox is excellent for exploring phishing attacks, with fully interactive Windows and Linux VM backgrounds.  Employ uploaded files and URLs to trace the attack, conduct all required research actions, and achieve a precise idea of network traffic, registry modifications, operational procedures, TTP, and more.

Did you find this article interesting? Join our TTB Community on LinkedIn for more intriguing articles & updates.