Here is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e.
This model is one of the most popular business scanner/printers in the world. The emails are written to make the user think that the communication is from a vendor.
Basically, Locky is back with a vengeance and a whole new bag of evil tricks.
The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo. “The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”
This is the third recent massive Locky attack
The third in an increasingly sophisticated series of ransomware attacks launched this summer is dubbed IKARUS by Comodo, some other security vendors are calling it Locky Diablo6. As in previous attacks, the Eastern European Locky cyber mafia is using a botnet of zombie computers which makes it hard to simply block by IP. “Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues. The most innovative hook of this new feature involves the way these criminal hackers manage to evade spam filters.
Here is how it evades machine learning
“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.” “That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.” In other words, it looks like that again the bad guys are ahead of your spam filters, whether that is a traditional or new machine-learning flavor. Now, the Locky payload still ultimately uses an executable file written to disk, so your endpoint security may be able to block it. There are other types of attacks that take advantage of machine learning blind spots (fileless attacks, for example), but this isn’t one of them. What the bad guys behind Locky count on is cranking out so many new variants that antivirus (even some machine learning ones) won’t recognize and block it.