Keysight Connect #7 - When documents attack

2021-07-08  |  4 min read 

Anyone with access to an electronic device is likely to have an email or use some type of document, such as Excel or Word. Because we have such an active presence online, we are more exposed to new threats and malicious activity. Since misconfigurations can occur at any point, we at Keysight take an added interest in your security

Phishing messages, spam emails, and malicious documents are one of the most common ways an attacker might try to infect or attack someone. Emotet, Trickbot, and Agent Tesla are all cyber-threats that use malicious documents as their attack tools.  

There is some good news that comes out of this, though. As of January 27th, 2021, the Emotet botnet infrastructure has been taken down, followed by its final takedown on April 25th, 2021, when the Emotet malware was uninstalled from any infected devices. While we can breathe easily for maybe a second, it doesn’t stop any future such threats from recurring. So let’s be ready for them. 

Emotet

Emotet was originally designed as a banking malware that would attempt to sneak onto your computer to steal private and sensitive information. Later versions of the software saw the addition of malware delivery services. Emotet also used functionality to evade detection by some anti-malware software.

Emotet was essentially a trojan that was spread primarily through spam emails. It used worm-like capabilities to help itself spread to other possibly connected computers. This particular functionality has deemed Emotet one of the most destructive and costly malware affecting different sectors, organizations, and individuals.  

Trickbot

Trickbot was also originally designed as a banking malware, same as Emotet, with its main scope being the theft of banking details and other credentials. It is now considered a modular malware ecosystem. Trickbot has numerous plugin modules, crypto mining, and persistence capabilities, as well as a growing association with follow-on ransomware infections. 

Trickbot is delivered usually through spam emails, making use of things like invoices, traffic violations, holiday greeting cards, and, more recently, the COVID-19 pandemic. It also attempts to disable antivirus protection (such as Windows Defender). 

Agent Tesla

Agent Tesla, within the family of remote access trojan (RAT), has grown more popular in recent months. Offered as a form of malware-as-a-service, it remains an active threat to Windows machines, allowing attackers to steal credentials and other information through screenshots, keyboard logging, and clipboard capture. 

Agent Tesla usually arrives as an attachment in a malicious email, the same as its other two counterparts. Recent months have seen continuous growth for Agent Tesla, and its newest versions use updated communication tactics, target more applications for credential theft, and pack new techniques for bypassing endpoint defense. 

 

Find out more about malware and the techniques attackers use to remain undetected by watching our latest Keysight Connect meetup video below 👇

 

** This video was recorded during a Keysight Technologies Romania online meetup. The content belongs to the speakers of the event. If you want to be notified about upcoming events, follow us on social media.