As reported by thehackernews.com, a state-sponsored threat actor has been attributed to a spear-phishing campaign targeting journalists in the United States. The intruders, called APT37, installed a new malware strain called GOLDBACKDOOR. It performed a backdoor deployment in a multi-step infection process to evade detection.
These savvy attackers also knew that the best way to avoid detection by AV engines was to avoid sending malicious attachments in the first place. Instead, they sent an email message containing a link to download a ZIP archive from a remote server designed to impersonate a news portal focused on North Korea. Embedded in the file is a Windows script that serves as a jumping-off point to execute a PowerShell script that opens a malicious document while simultaneously installing the GOLDBACKDOOR backdoor. This enabled attackers to retrieve commands from a remote server, upload and download files, record files, and remotely uninstall the backdoor from the compromised machines.
According to the 2021 Verizon Data Breach Incident Report, the median click rate in phishing simulations is 3%, and for some organizations, it is as high as 20-40%! When you consider that most organizations experience extremely high malicious email volumes, it only takes a few dozen emails before these attacks succeed. It should come as no surprise that 85% of breaches involve a human element since email provides attackers a direct path to employees. Many common security frameworks and compliance initiatives require user awareness training, but it is clear this is insufficient.
Could this happen to you?
The reason that malicious email attacks are so effective is because of social engineering. In particular, phishing accounts for 81% of social engineering, and it is one of the top actions that actually results in a breach (according to Verizon). Phishing attacks seek to impersonate a trusted individual or brand in order to deliver malicious content or steal credentials, but when this content is hosted on a website it cannot be detected by email-based AV engines.
As the GOLDBACKDOOR multi-stage malware case demonstrated, the spoof messages could be sent from the personal email address of a former South Korean intelligence official, leveraging look-alike news portal pages designed to install a backdoor and steal sensitive information.
Some advanced attackers have also realized that some email security solutions are scanning URLs in addition to attachments, so more advanced attacks have evolved to evade detection with URL shorteners, redirects or unique URLs.
The value of time-of-click URL reputation analysis
The reality is that AV is only the first pillar of email security; organizations also need protection against malicious emails that include no attachments. MetaDefender Email Security repels phishing attacks across multiple dimensions. First, emails with known phishing URLs are blocked before they reach a user’s inbox. Next, emails with suspicious URLs can be neutralized by exposing them into plain text. Finally, the reputation of URLs is checked whenever they are clicked, protecting users even after an email is delivered.
This reputation analysis includes the sender’s IP address, the email headers (i.e. FROM address, FROM domain, REPLY-TO address), and the body of the email, including any hidden hyperlinks. OPSWAT MetaDefender Cloud gathers data from multiple real-time online sources specialized in IP addresses, domain and URL reputation to provide a lookup service that returns aggregated results to our users. This functionality is used by MetaDefender Email Security which makes it possible to identify threats like botnets or phishing sites that would not be found through scanning files when accessing content.
OPSWAT Email Security Solution reduce human error by uncovering potential phishing attacks on multiple stages and protects users from social engineering attacks, so the IT department can rely less on user awareness.
Contact OPSWAT and ask how we can help improve your email security with AV and phishing protection.Download our free whitepaper to learn more about best practices for email security.
