OLE packages, how criminals distribute malware, are on the rise

Cybercriminals increasingly are using object linking and embedding packages though healthcare executives have options to fight them.
By Bill Siwicki
09:27 AM
Share
cybercriminals malware OLE packages

More cybercriminals used object linking and embedding, or OLE packages, to deliver malware content during the first quarter of 2017, according to cybersecurity technology and services company PhishMe Intelligence.

The cyberthreat trend first was observed in December 2016, closely associated to the delivery of the Ursnif botnet malware, PhishMe said. The OLE technique abuses Microsoft Office documents by prompting a victim to double-click an embedded icon to access some type of content. These objects are used to write a script application to the disk that facilitates the download and execution of a malware payload, PhishMe said. This method adds another set of techniques cybercriminals can use to evade anti-analysis and sandbox settings and to successfully infect computer systems, the company said.

The threatening documents employ a similar look and feel to Microsoft Office documents using macro elements for malware delivery, but they do not feature the distinctive “enable macros” banner, PhishMe said. As a result, these documents defy the expectations for the delivery of malware that have been prominent in recent years.

[Also: New ransomware spotted as targeting healthcare industry]

For example, a macro element can display icons or text that instruct a victim to “enable editing” in order to interact with a document and view content, but a document using the threatening OLE packages will not feature the characteristic yellow “enable macros” banner. The technique allows cybercriminals to deploy malicious files to a victim’s machine. Real and fake documents look similar, and the fake ones can fool even computer users who know what a macro looks like.


  A screen shot of the OLE Malware

There are several reasons why these recent phishing campaigns distributing infected Microsoft OLE packages are particularly tricky to deal with, said Rohyt Belani, co-founder and CEO of PhishMe.

“First, because the malware is disguised as an unassuming Office document, threat actors can often use this technique to bypass the IT department’s sandbox environments, detection software or analysis tools that help identify malicious documents, attachments and links,” Belani said. “Second, since so many healthcare organizations rely on Microsoft Office applications to run their day-to-day business operations, security professionals can’t completely block Office documents entirely from e-mail systems. Knowing this, threat actors take advantage of the reliance on everyday tools like Microsoft Office to deliver disguised, dangerous malware payloads to the end-users.”

[Also: Hackers will target hospitals like never before in 2017]

When technology layers fail and let these types of threats land in the inbox, there’s really one last line of defense to ensure these attacks don’t succeed – the employees themselves, Belani said.

“Humans, the end-users, are the linchpin for securing against attacks delivering sneaky payloads that easily bypass existing technology stacks,” Belani said. “We recommend healthcare CISOs seriously consider building strong phishing defense programs that transform employees into human sensors at the heart of the phishing defense strategy.”

Through behavioral conditioning, employees will become contextually aware of the e-mail content that enters their inbox, increasing their ability to recognize and report suspicious communications that very well may be phishing threats like OLE payloads, Belani said.

“By empowering employees to report suspicious e-mails directly to a healthcare organization’s security operations center,” Belani added, “this will drastically speed incident response capabilities to neutralize these threats before any major damage is inflicted.”

Twitter: @SiwickiHealthIT