Email with a Surprise: Exploring Tricks and Techniques for Delivering Malware
According to statistics, a significant portion of malware infections occur because users themselves run malicious files on their machines. This is the main goal of attackers using social engineering. Let’s take a look at the technical tricks and techniques they use.
Attachments and File Types
We’ll examine attacks involving files not from the perspective of how they’re delivered during a pentest or what’s written in them to trick users—that’s a topic for another time. Today, we’ll focus on several technical aspects, including file and extension masking, and discuss some useful hacks.
We won’t cover the delivery of HTML files with a JavaScript Blob object encoded in Base64, since this article is about tricking people, not bypassing security systems.
Generally, files delivered through communication channels can be grouped into the following categories:
- Microsoft Office files
- HTML (HTM, SHTML)
- Archives (with or without a password) containing a payload
- ICS calendar files
Let’s look at the tricks attackers use with each of these file types.
Breaking User Habits with Printing Requests
When an employee downloads a file from the internet or from an email attachment, they’re warned that the file’s contents may be unsafe.
Warning about unsafe file content
Want to ask them to disable protection in an unusual way? Pretend to be their boss in the email and say that the document (form, spreadsheet) needs to be printed and signed, as an HR employee will pick it up later today.
The employee opens the print window and sees that printing is unavailable.
Warning about print unavailability
They’re used to being asked to disable Protected View in the document itself, but this is a slightly different scenario. Word itself asks to disable protection, breaking the pattern for a security-aware user.
PDF Files
The image below shows a tweet (or whatever it’s called now) mentioning a malicious attack. Don’t mind the Google Translate quality.
Description of an attack via PDF file
You can read more about the details of this attack on the Fortinet website. This delivery method might come in handy for you.
When we did our first social engineering pentests in 2017, we used the Canarytokens service to track permissions for such downloads. Both we and the client considered it an incident and a sign of compromise if the user clicked “Allow” in the PDF file’s pop-up warning.
Canarytokens service interface
HTML Files
It’s common to see the following types of HTML files attached to emails:
- With a redirect to your page, for example, using
<meta http-equiv="refresh" content="0;URL=https://evil.com"/> - Containing a malicious iframe that loads your page from the internet. Security systems may not see the iframe, but the user will.
- With phishing content. An example of such phishing is shown in a Sophos report.
Here’s another example of a phishing HTML file:
Imitation of an Excel file on a web page
Let’s also touch on masking the .html extension in email clients. For inattentive users, you can disguise an HTML attachment by inserting a lot of non-breaking spaces (U+00A0) between “docx” and “html” in the filename.
Imitation of a DOCX document in an HTML file name with non-breaking spaces
Yes, the icon won’t look like a Word document, but many users don’t notice this. Or you can just send it as is.
Imitation of a DOCX document in an HTML file name
Password-Protected Archives
We can’t ignore the classic method of hiding malware in a password-protected archive. While some security systems block such archives, this method is still quite effective.
An email with such an archive might look like this:
Good afternoon.
I’m attaching an archive with documents.
For security, the archive is password-protected.
Password: 12345
Regards, Andrey Petrov
Knowing that users may be trained to recognize such emails as suspicious, you can omit the password. Let the user ask for it, and you send it in a separate email. By checking the email headers, you can confirm that the reply is from the user, not the security team trying to analyze your payload.
Archives Without a Password
Here’s how we hid the real file extension in an archive:
Display of an EXE file in an archive, with many spaces in the name
Users often didn’t realize they were looking at a .exe file, not a .pdf. This is done by inserting multiple “medium mathematical spaces” (Unicode) after “pdf” in the filename Book.pdf.exe.
Description of the medium mathematical space
We managed to insert about 280 spaces in such a filename. So, unless the user expands the filename field in the archive viewer, they won’t see the .exe extension—which rarely happens.
Expanded display of the filename field in the archive
If you use a lot of regular spaces, it won’t help much to mask the real extension.
Display of the actual file extension
Again, it’s bad practice to send .exe files in archives, as security systems easily detect them. But not everyone has such systems, and I like to classify everything so all info is in one place, even if some tricks don’t work in well-protected organizations.
If someone tried to run our EXE file on Linux and told us they couldn’t open it, we’d “help” by sending another payload. It’s safe to say that security technologies only reduce risks, and you also need to invest in people’s cybersecurity skills. But that’s another topic—let’s move on.
Rarely Used Extensions
When sending archives, try different extensions besides the standard .rar and .zip. Try to bypass both technical and human security with .cab, .z, and others.
In 2020, there were malware campaigns in Russia using archives with the .001 extension, and some organizations weren’t ready for this and didn’t block such archives on their mail servers. Check if your system blocks .z archives as well.
ICS Files
The ICS format (capital “I”) is used for calendar and email clients (Google Calendar, Apple iCal, Microsoft Outlook).
On iPhone, for example, such a file is displayed as follows:
Example of ICS file display on iPhone
In this case, there’s no “Save to calendar” button, but that’s not a problem. This method is suitable for urgent scenarios:
Colleagues, a reminder that the online meeting with the CEO has already started. I’m resending the calendar reminder file.
Sent at 9:05 AM. The employee thinks they’re late and won’t hesitate to click the link.
Cloud File vs. Server File
Finally, let’s see how cloud file storage can make a file seem safer to the victim.
Links to the same file were sent and then opened in Outlook. One file was stored on Yandex Disk, the other directly on a hosting server:
As a result, the file from Yandex Disk downloads without extra warnings, while the direct download shows a warning to the user.
File download warnings
In the downloads list, both files look like this:
File appearance in downloads
Conclusion: if you want to attract less attention to your file, upload it to a cloud storage service.
Flaws in Email Client and Service Interfaces
We’ve covered files, now let’s look at some interface flaws that help not only pentesters but also attackers mislead victims.
Let’s look at this from two sides: how we can use these flaws for good during pentest phishing campaigns, and how software developers can help users spot phishing.
The image below shows the interface of an incoming email in Outlook.
Outlook inbox interface
The victim’s logic: if both the accountant and the director see the email, I’d better do what’s required. But the CC’d email addresses imitate the victim’s colleagues, when in fact they’re fake addresses (see image below).
In the first email, you can spot the letter “s” with a small tail, but in the second, it’s impossible to visually distinguish the Cyrillic letter from the Latin one.
Fake email addresses in CC
When you hover over the email, you see the same address with the fake letter.
Hovering over the fake email
The attacker’s logic is simple: they put fake addresses in CC, the emails go nowhere, but the victim thinks management is aware of the correspondence and is more likely to open the archive with malware or click a phishing link. The “fake” email looks similar to the original domain because Outlook converts the Punycode combination to Unicode. The same thing happens in another popular email client: emails with Punycode aren’t displayed as <[email protected]>, but they could be.
Examples of Email Service Interfaces
Now let’s look at some email services and their web interfaces. This time, we’ll focus on how hard it is for users to identify the sender in the interface, not just how Unicode is displayed in the sender field.
I won’t name the companies, but we’ll look at web interfaces with clear problems in identifying the real sender. In the example below, you see an email in the “From” field, but it’s not the sender’s address—it’s the email entered as the sender’s name.
Email in web interface where the real sender’s address isn’t visible
So, the name and email might look like this: [email protected] <[email protected]>, but the email service only shows <[email protected]>.
In the next example, it’s similar: instead of a name, you see an email, and the user thinks the email came from a familiar sender.
Email in web interface with misleading sender info
But in this interface, at least clicking the email lets you see who actually sent it, unlike the previous example. Can’t it be done like in the interfaces below?
Example of sender name and email display in Yandex Mail
Conclusion
We’ve reviewed several techniques for bypassing the “human firewall” using technical tricks and software flaws. Of course, as long as there are programs and services, there will be flaws—finding ways to “bypass the system” just takes persistence. In fact, the hacker’s job (in our case, a white-hat hacker) is to look at the world a little differently than everyone else.