Hijacked Thread Used in Password Protected Malware Attack

When attackers can use hijacked email threads, they lend instant credibility to their attacks since their victims simply believe that they are continuing to communicate with the same person as in previous emails. In this case, the attacker first compromised a vendor account and then inserted themselves into an ongoing email conversation to send the attack.

The attack itself instructs the recipient to open a file containing the “necessary records” for an upcoming meeting. Upon clicking the link, the target is asked to insert a password, which is included in the email itself. Once they do so, the malware is decrypted;  Emotet, Qakbot, and other trojans are passed in this manner, providing a foothold for other attacks like Ryuk ransomware. 

This attack uses a domain that passes SPF checks and because the file is password protected, legacy solutions have difficulty scanning it for malware. Further, the malware is encrypted using random passwords, which changes the file signature and allows it to evade threat intelligence tools. Including the password in the email allows it to be easily accessible to humans, but hard for automated systems to decrypt. 

To understand that this is a malicious file, content analysis is required to detect both the presence of the link as well as the password for opening the link. Further context around the recipients, departments, and normal communications are helpful to flag suspicious content, even when the majority of it is duplicative of the email communication earlier in the thread. Understanding these behavioral systems is required to avoid false positives for this type of attack. 

If the target were to open this file and enter the password, malware is likely to be installed on the device. From there, attackers can complete a variety of other attacks related to ransomware, data theft, and more.