Table of Contents
The third quarter witnessed a surge in cyber threats, focusing on Complex Delivery Chains. ISO and LNK files, alongside zero-click exploits, played a significant role in high-profile attacks. Supply chain targeting expanded to IT experts and business servers, with Microsoft Teams and Facebook Messenger emerging as new delivery channels. This chapter unravels the intricate dynamics of Q3’s threat landscape, shedding light on evolving tactics and resilient strategies.
During the third quarter, ISO and LNK files delivered via emails remain in use, and attackers often execute high-profile attacks by leveraging undiscovered vulnerabilities, some of which necessitate no user interaction, referred to as zero-click attacks.
Attacks on supply chains are also widespread, mainly focusing on IT experts or business servers. Beyond email, Microsoft Teams and Facebook Messenger have emerged as two new avenues for delivering harmful files. Given the existence of a widely-used open-source framework on GitHub called TeamsPhisher that targets Microsoft Teams businesses and accounts, this threat is likely to persist.
Polyglot Deception: MalDoc Techniques
We’ve noticed new techniques where attackers embed harmful Word documents (as Active Mime objects) inside PDF files, a strategy that could potentially enable them to escape detection. This technique, termed ‘MalDoc’, is a polyglot attack where the file, while recognizable as a PDF, can also be opened as a Word document.
This allows the concealed harmful code to run when opened as a .doc file in Microsoft Office.
QBot’s Comeback: Unveiling New Delivery Chain Tactics
Additionally, threat actors behind QBot got active again even though the FBI has infiltrated and shut down their infrastructure and operation. Within their comeback, they again switched to an exotic delivery chain that even involves new file types such as Microsoft Excel Add-Ins (XLL).
This figure shows a summary on delivery chains that VMRay Threat Labs has observed throughout the past months in-the-wild.
VMRay Malware & Phishing Threat Landscape – Q3/2023
The dual nature of AI in cyber security