Anti-Phishing, DMARC , Fraud Management & Cybercrime
Email Gateway Security Gaps Enable New Malware Tactics
Static Scanning Limitations Usher Malware Onto Corporate NetworkPhishing hackers have developed a new technique for smuggling malware past secure email gateway defenses, said researchers at Cofense who uncovered a recent info stealer campaign.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
In a Wednesday report, the email security company said hackers targeting Spanish-speaking employees of an international financial firm found they could subvert the static scanning functions of the Cisco IronPort appliance - although the technique likely would succeed on secure email gateways made by most manufacturers.
The technique isn't conceptually sophisticated; it depends on hiding the malicious attachment's true file extension from the scanner by throwing up a decoy file extension. Hackers placed the malicious file into a compressed archive. Because of how secure email gateways parse the contents of an archived file, they were able to misleadingly label it as an mpeg
file. Hackers put the real .html
file extension in the file footer, but IronPort didn't catch the mismatch between the header and the footer.
Information Security Media Group contacted Cisco for comment but didn't immediately receive a response.
Headers are "typically considered to be reliable," said Max Gannon, threat intelligence manager at Cofense. "If a program isn't smart enough, it's just going to take whatever the header says at face value."
Some unzipping applications Cofense used to probe the malicious file were able to flag the mismatch but ironically, desktop applications that treated the malicious file correctly as an HTML file rather than an mpeg file also enabled the malicious code.
Exploiting static scanning limitations in this way so far hasn't been a widely used tactic, Gannon said. "We really haven't seen this before. I honestly think that it was someone testing the water to see if it would work - and it did work, very well." The technique doesn't appear in any known phishing kits, he added.
Gannon said he doesn't know for sure whether hackers infected the targeted financial institution with their info stealer, but he said it's likely they succeeded on at least one workstation.
Dynamic scanning of email attachments by gateways would be the ideal solution, Gannon said, but processing power limitations make that remedy too expensive. Static scanning could still do a better job, he said. A mismatch between the file type in the header and footer should raise flags. Gannon also said that code tucked into the attachment itself was highly indicative of malware. Unzipping files to extract code, admittedly, would put more demands on computing power. Particularly large archived files might be too expensive to analyze, Gannon said.
Also, secure email gateway coders would have to allow for "zip bombs" - files that when extracted blow up to giant sizes - "from 200 bytes to 200 terabytes, a way of exploiting how the archiving process works," he said.
Gannon said secure email gateways don't perform more static analysis because "there's not really a nice way to say this, but they're basically lazy."
Manufacturers, he said, "typically don't get called out on it, so they typically don't add the extra effort to do it."
Researchers at Cofense in a report last week said attackers increasingly evade email security products such as VIPRE, BitDefender, Hornet Security and Barracuda by encoding URLs with one secure email gateway product and sending the malicious link onward. Links encoded by a security appliance often aren't rescanned by another security gateway, which gives the attacker a free pass.