Botnet Trend Report -5

Botnet Trend Report -5

agosto 10, 2020 | Adeline Zhang

Spear Phishing and Malicious Documents

In the past few years, including malicious attachments in emails has become one of the most common methods that APT groups and various cybercriminal groups use to launch spear phishing attacks. Compared with previous years, 2019 saw more spear phishing attacks with a bigger impact, which was linked with the following facts.

  • Increase in Email Account Leaks

To conduct a spear phishing attack, a bad actor needs to first collect email accounts as phishing mail recipients.

In 2019, database leak events frequently made headlines. For example, MongoDB and ElasticSearch, which are databases supposed to be used in LANs, may be exposed to external users if configured improperly. In February, Coinmama, an Israeli cryptocurrency transaction platform, was reported to suffer an information breach, having email addresses and passwords of 450,000 registered users leaked and sold on the dark web[4]. In March, researchers from Security Discovery discovered that a MongoDB database of Verifications IO, an email marketing company, was publicly accessible with over 800 million email addresses. The Russian cybersecurity company Group-IB found that email account information of employees from different government and education departments of Singapore was published on extranets. In July, Sephora, a cosmetics, makeup, and skin care product supplier, had account information of clients from different countries, including email addresses, stolen in a database
leak attack.

The examples given above make it evident that email databases can become a fat prey to cybercriminal groups.

  • Evolution of Social Engineering Attacks

In the past few years, spear phishing attacks have evolved in such a way as to be able to more accurately victimize targets. After obtaining an email address, an attacker tends to carefully craft an email subject to increasing the chance of the email or even the attachment being opened.

Moreover, attackers may use forged addresses instead of real ones, adding to the difficulty of tracing the real source.

  • Diversification of Payload Types

According to sample statistics of attachment types used in spear phishing attacks in 2019, Office documents were obviously the dominant type of payloads, followed by PDF and ISO files and compressed packages.

Besides Office, file types used as malicious payloads of emails in 2019 included PDF, compressed packages, and ISO images.

In the latter half of 2018 a new attack method emerged, that is, using ISO images as malicious attachments. Windows 8 and later come with a virtual CD drive. Users can load an ISO file by only a double click, making this type of files an ideal carrier of malicious payloads.

Likewise, ZIP and RAR packages may also contain malicious files, such as executables and VBS, JavaScript, and PowerShell scripts.


By exploiting weak passwords, various vulnerabilities, and spam, attackers can break system protections, directly or indirectly planting malware to conduct cybercrimes for illegal gains.

Vulnerabilities in Windows and Linux/Iotdevices are seldom fixed in time.

It is not hard to imagine that these hardware devices, which are exposed on the Internet with delayed upgrades and maintenance, will end up victims of the ever-evolving attack techniques and become members of botnet armies constructed by malware families, giving rise to such threats as DDoS attacks, ransomware attacks, cryptojacking, information thefts, and adware bundling.

To be continued.