Hackers are using malicious Microsoft Publisher files to create backdoors in Windows computers. The files are being used in targeted attacks on businesses, with a view to stealing sensitive data. A new campaign has been identified by Bitdefender that is targeting small to medium-sized businesses in the UK and China. So far, around 2,000 of the malicious emails have been captured.
Spear phishing emails containing malicious Microsoft Publisher files appear to be sent from employees in legitimate businesses. The emails claim to contain a purchase order and users are advised to open the attachment to view details of the order and to confirm that it has been received.
It is relatively rare for spammers to use the .pub format to spread malware, instead they tend to prefer other Microsoft Office formats. Much fewer people have Microsoft Publisher installed on their computers, so the probability of recipients opening the file is lower. However, since the file format is rarely used by scammers, and end users do not typically associate it with malware, there is a high risk of the files being opened.
If the malicious Microsoft Publisher files are opened, a VBScript is run that embeds a URL that acts as a remote host. According to Bitdefender, the malware then “downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file.”
The file is decrypted and a backdoor in installed in the infected computer. The backdoor allows attackers to control resources on the infected computer and perform a wide range of malicious actions. The malware that is installed also steals information such as login credentials and system data and sends the information to the attackers. The damage that can be caused by the attackers is considerable.
There are a number of controls that can be put in place to prevent infection. A robust anti-spam solution can be used to prevent emails from being delivered to inboxes, although sys admins will need to configure their spam filters to block this relatively uncommon file format. End users should also be trained how to identify malicious emails and should be instructed not to open suspicious email attachments from unknown senders.
Anti-malware and anti-virus software should also be installed on all devices and virus definitions should be updated automatically.