Summary: Researchers at Cofense have identified a new phishing technique that allows hackers to bypass secure email gateways by disguising malware within compressed files, exploiting the limitations of static scanning. This method involves misleading file extensions, which can deceive email security systems into allowing harmful attachments through.
Threat Actor: Unknown hackers | unknown hackers
Victim: International financial firm | international financial firm
Key Point :
- Hackers used a decoy file extension to hide a malicious HTML file within an archive, successfully bypassing the Cisco IronPort secure email gateway.
- The technique exploits the static scanning limitations of email gateways, which often rely on the header information of files.
- Cofense suggests that dynamic scanning would be ideal, but current processing power limitations make it impractical for many manufacturers.
- Static analysis improvements could include flagging mismatches between file headers and footers to enhance detection capabilities.
- Researchers noted that attackers are increasingly finding ways to evade various email security products by encoding URLs and leveraging the lack of rescanning by subsequent gateways.
Phishing hackers have developed a new technique for smuggling malware past secure email gateway defenses, said researchers at Cofense who uncovered a recent info stealer campaign.
See Also: Webinar | Old-School Awareness Training Does Not Hack It Anymore
In a Wednesday report, the email security company said hackers targeting Spanish-speaking employees of an international financial firm found they could subvert the static scanning functions of the Cisco IronPort appliance – although the technique likely would succeed on secure email gateways made by most manufacturers.
The technique isn’t conceptually sophisticated; it depends on hiding the malicious attachment’s true file extension from the scanner by throwing up a decoy file extension. Hackers placed the malicious file into a compressed archive. Because of how secure email gateways parse the contents of an archived file, they were able to misleadingly label it as an mpeg file. Hackers put the real .html file extension in the file footer, but IronPort didn’t catch the mismatch between the header and the footer.
Information Security Media Group contacted Cisco for comment but didn’t immediately receive a response.
Headers are “typically considered to be reliable,” said Max Gannon, threat intelligence manager at Cofense. “If a program isn’t smart enough, it’s just going to take whatever the header says at face value.”
Some unzipping applications Cofense used to probe the malicious file were able to flag the mismatch but ironically, desktop applications that treated the malicious file correctly as an HTML file rather than an mpeg file also enabled the malicious code.
Exploiting static scanning limitations in this way so far hasn’t been a widely used tactic, Gannon said. “We really haven’t seen this before. I honestly think that it was someone testing the water to see if it would work – and it did work, very well.” The technique doesn’t appear in any known phishing kits, he added.
Gannon said he doesn’t know for sure whether hackers infected the targeted financial institution with their info stealer, but he said it’s likely they succeeded on at least one workstation.
Dynamic scanning of email attachments by gateways would be the ideal solution, Gannon said, but processing power limitations make that remedy too expensive. Static scanning could still do a better job, he said. A mismatch between the file type in the header and footer should raise flags. Gannon also said that code tucked into the attachment itself was highly indicative of malware. Unzipping files to extract code, admittedly, would put more demands on computing power. Particularly large archived files might be too expensive to analyze, Gannon said.
Also, secure email gateway coders would have to allow for “zip bombs” – files that when extracted blow up to giant sizes – “from 200 bytes to 200 terabytes, a way of exploiting how the archiving process works,” he said.
Gannon said secure email gateways don’t perform more static analysis because “there’s not really a nice way to say this, but they’re basically lazy.”
Manufacturers, he said, “typically don’t get called out on it, so they typically don’t add the extra effort to do it.”
Researchers at Cofense in a report last week said attackers increasingly evade email security products such as VIPRE, BitDefender, Hornet Security and Barracuda by encoding URLs with one secure email gateway product and sending the malicious link onward. Links encoded by a security appliance often aren’t rescanned by another security gateway, which gives the attacker a free pass.