TECH ALERT: New email embedded malware getting through major AV scans

Major AV missing email borne threats

The delivery of embedded malware deep inside email attachments has emerged as a new and constant threat.

Clearswift has recently been approached by a number of top cybersecurity teams and organizations to help them address an increasing threat of ongoing attempts to deliver embedded malware hidden in email attachments that is automatically activated by malicious scripting code. The sophistication and continuous morphing of delivery methods have made it so these new malware variants go undetected and pass right by major AV scanning solutions. 

The impact

Cybersecurity experts in the banking and financial services industry have been battling early evolving versions of email embedded malware known as Cridex and Dridex that attempted to steal banking credentials and personal information since late last year. And just when the banking organizations began their fight to keep your financial information safe, numerous reports started to appear about the increase of malware targeting the healthcare industry and your critical health information. Regardless of the industry, these reinvented threats have cybersecurity teams scratching their heads. And a big part of the challenge for cybersecurity teams have been the reliance on traditional AV scanning technologies and filters, that while eventually being updated to help block some of the basic embedded threats, simply haven’t gone deep enough to inspect emails for malware embedded in multiple layers of attached documents and advanced scripting techniques that act as a trigger.

How it works

Here is an example of what to expect from these new forms of email embedded malware:

  • Emails with vague body messages are sent highlighting the attachment as an important document such as invoice. The attachment, often seen as a PDF file might be titled: SalesInvoice519658.pdf
  • The attachment in this case has multiple layers. The PDF includes javascript and an embedded Word document which further includes an embedded macro that automatically executes.
  • Upon opening the PDF file, the javascript executes, saving the embedded Word document to a temporary file and then instructs Windows to open it. The macros in the Word file use various techniques to hide what they are actually doing, which most often is downloading and executing a Virus, Trojan, Cryptolocker, Cryptowall or other malware type.

These document attachment types (Offices document and PDFs) are required for performing normal business activities and are often trusted by end-users without so much as a second thought to the havoc they may cause if there is malicious intent intended by the sender.

The solution – email sanitization for comprehensive malware protection

The most effective way to thoroughly sanitize emails and ensure they are cleansed and safe from embedded malware is to add a layer of Structural Sanitization to your existing email security solution. Unique to Clearswift’ s Adaptive Redaction technology, Structural Sanitization leverages deep content inspection to completely disassemble all messages and attachments at a much more granular level to detect and automatically strip hidden and active content. The active content can be in the form of embedded malware triggered executables, scripts or macros such as VBA macros from Office documents, JavaScript, VBScript and ActiveX from HTML message bodies and HTML attachments; and JavaScript and ActiveX from PDF documents. As a result, the malware not caught by standard email spam and AV hygiene scanning can be completely removed.

Finally, a Structural Sanitization layer of security is cost-effective and can be quickly added to your existing email security solution (protecting your on premise or cloud hosted email – i.e. Microsoft Office 365, Google Gmail, etc.) without having to ‘rip and replace’ and provides the most comprehensive defense against ever evolving email embedded malware.

Additional Information:

Related Articles: