Attachment-based malware is a persistent threat that just does not seem to die out. In early 2023, a new threat was exposed: a ransomware threat named MortalKombat, which spreads through phishing emails, targeting victims from the United States, then in the United Kingdom, Turkey, and the Philippines. At the same time, another advanced persistent threat (APT) called APT-C-61, also known as Tengyun Snake emerged and operated in South Asia with an expanded scope to Iran, Turkey, and other countries, sharing a similar initial attack vector. These two emerging threats highlighted the need to move away from a detection-based approach and adopt prevention-based solutions.
The Kill
The two attacks might use a similar threat vector, which is through phishing emails, but their kill chains are distinctive from one another. For MortalKombat, the kill chain starts when the threat actor delivers a malicious ZIP attachment, which contains the malicious payload. Once the victim unpacks the attachment, the ransomware loader will be quickly deployed and launch the multi-stage attack.
In contrast, Tengyun Snake follows a more sophisticated kill chain. Malicious actors first employ social engineering techniques by imitating governmental departments. Then the selected targets will receive spear-phishing emails, which contain compressed packages (like a DDE vulnerability exploit) with malicious PDF or Word documents. The victims deploy the custom malware on click, so it could exfiltrate data silently.
Why the Detection-Based Approach Did Not Work
Though both cases of attacks presented different kill chains and objectives. (MortalKombat aimed at extracting financial gains from victims while Tengyun Snake focused on getting sensitive data such as intellectual property, from specific targeted a variety of industries, including government, military, energy, and technology sectors, and other high-value organizations), there is one common ground: Detection-based security measures would not be able to detect them.
The malware was deployed using an attachment inside phishing emails. As these attack mechanisms give attackers the ability to easily create new variants, there would not be signature patterns for them. Thus, antivirus engines would not have been able to detect them. Blocking email addresses associated with phishing emails is not an ideal solution either, as spoofing techniques allow malicious actors to bypass detection mechanisms altogether.
The Solution: A Prevention-Based Approach to Email Security
Preventing email-borne threats requires more than just a detection-based solution. Advanced malware threats can be addressed with a prevention-based solution. By proactively disarming all active content from triggering in the first place, organizations can ensure that mailboxes are protected from unknown advanced threats.
Content Disarm and Reconstruction is a market expert-recommended technology. It refers to a technology that takes apart a file, disarms active content, and then reconstructs the file with similar characteristics to the original file. The end result is a closely similar file but without potentially malicious content. This technology ensures that incoming attachments will be free of zero-day malware, and unknown exploits.
OPSWAT MetaDefender Email Security
OPSWAT MetaDefender Email Security is a comprehensive email security solution which takes your email security to the max. Offering advanced capabilities, OPSWAT MetaDefender Email Security protects mailboxes from zero-day malware and unknown exploits.
Multi-layered Anti-Phishing Technology
OPSWAT MetaDefender Email Security employs a multi-layered anti-phishing approach to prevent phishing emails. This solution uses advanced heuristics and machine learning algorithms to block unwanted spam messages more effectively. Additionally, it rewrites URLs for reputation checking at time-of-click using 30+ online sources to protect organizations from sophisticated social engineering attacks.
Zero-Day Threats Prevention
OPSWAT MetaDefender Email Security effectively prevents zero-day threats and unknown exploits by sanitizing email bodies and attachments with OPSWAT’s proprietary Deep CDR technology. Deep CDR takes apart a file and sanitizes it, removing all potentially malicious content. It then reconstructs the file with similar characteristics, ensuring its usability. Deep CDR supports over 100 file types, and it works with password-protected files as well.
As deep CDR is a prevention-based technology, it is far more effective at neutralizing unknown threats - including customized malware, than detection-based security, ensuring that enterprises and critical infrastructures only receive secure and clean emails in corporate inboxes.
Advanced Malware Protection
OPSWAT MetaDefender Email Security takes malware scanning to the max by applying Multiscanning technology, which scans files using over 20 leading AV engines simultaneously, complemented by heuristic and machine learning capabilities. The result is a 99% detection rate, blocking even the most sophisticated email threats such as zero-day malware and ransomware
Simplified Regulatory Compliance
To prevent data leaks, OPSWAT MetaDefender Email Gateway leverages the Proactive Data Loss Prevention technology, which blocks sensitive and confidential data in emails. When it finds sensitive data, it will perform a redaction to prevent data from leaking. This technology works with over 40 different file types, including region-specific files.
Advanced malware threats such as MortalKombat and Tengyun Snake are growing risks that can cost organizations millions. However, it does not mean that your organization has to be vulnerable. OPSWAT MetaDefender Email Security advances your email security to the max and provides unmatched capabilities you need to protect your organization mailbox from advanced threats.
Talk to our security experts now for more information or a live demo.
