Video Screencast Help

Malicious Password-protected Documents used in Targeted Attacks

Created: 29 Dec 2011 10:15:41 GMT • Updated: 23 Jan 2014 18:18:00 GMT • Translations available: 日本語
Joji Hamada's picture
+1 1 Vote
Login to vote

Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks.

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.

These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only type that can be used for this sort of attack. Besides  files for word processors, spreadsheet and presentation programs are also affected.

In the past, we have often seen password-protected email attachments, but these have usually been archive files. The attachments themselves are not usually detected but the files inside the archive are detected when they are extracted. For this particular attack, however, the attached document files themselves are password-protected, meaning the files are encrypted.We can still nonetheless prevent infection with security products using traditional as well as proactive detection to detect the dropped and/or downloaded files like any other type of attack. However, please be aware of this new trick when you encounter password protected documents in unsolicited emails.

As the attackers continue to add extra tricks to their repertoire, as long as multi-layered defence is used, risk of infection shouldn’t be any higher than other types of targeted attacks.