Hackers have devised a new malware delivery method: broken or corrupted files that can’t be read by antivirus software. Once the victims attempt to recover them, the files detonate on their systems.
Threat intelligence services vendor ANY.RUN, which runs an interactive malware analysis sandbox, is warning about potential zero-day exploitation in the wild.
Threat actors are sending phishing emails containing corrupted ZIP archives or MS Office files, containing malicious contents, which execute once the user attempts to recover the file.
For example, a broken DOCX document will not open in Word, but the program will prompt: “Do you want to recover the contents of this document?”
Once a user presses “Yes”, the Word app reconstructs and processes the malicious file.
This trick evades antivirus detection and bypasses Outlook’s spam filters, allowing malicious emails to reach the inbox. These malicious files only execute in their corresponding programs in recovery mode.
“Threat actors attempt to conceal the file type by deliberately corrupting it, making it difficult for certain security tools to detect,” ANY.RUN said on X.
“Although broken and corrupted, the file remains undetectable by security tools, yet user applications handle it seamlessly due to built-in recovery mechanisms exploited by attackers.”
🚨ALERT: Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection 🧵 (1/3)
undefined ANY.RUN (@anyrun_app) November 25, 2024
⚠️ The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox
The #ANYRUN team… pic.twitter.com/0asnG72Gm9
None of the 60 security vendors on VirusTotal marked the analyzed files as malicious.
When provided with corrupted files, security solutions assume they need to scan the contents (files in the archive) but fail to extract them. They do not find any files inside the archive but overlook the archive itself – the scanning process never starts.
“Attackers exploit the recovery mechanisms of ‘damaged’ files in a way that corresponding programs like Microsoft Word, Outlook, or WinRAR, which have built-in recovery procedures, handle such files without issues,” the researchers explained.
In the provided example, the phishing email impersonated the HR department, and the subject hinted at potential salary increases. Once recovered, the attached malicious Word document urged users to scan the included malicious QR code to open a “secure” file, but it likely led to a malicious domain.
Similar tactics are often used to disseminate infostealers, capable of stealing login credentials, crypto wallets, credit card details, and other sensitive information.
ANY.RUN researchers warn that attackers have been using this new vector for at least several months now, with the first instances dating back to August.
Your email address will not be published. Required fields are markedmarked