Threat Spotlight: Clever Cybercriminals Spoof Scanners by... (opens in new window)

By Fleming Shi, SVP, Advanced Technology Engineering, Barracuda

Aside from the coffee maker and maybe the office water cooler, few devices receive the magnitude of use that the corporate printer is subjected to on a daily basis. This is because these machines function way beyond the boundaries of a simple printer; in fact they're commonly used to scan and copy pages and can even be called upon to send emails of scans as an easy way to receive PDF versions of documents.

In our latest Threat Spotlight, we take a look at how criminals are using common spoofing techniques to launch attacks containing malicious attachments that appear to be coming from your network printer. The attackers have chosen to use PDF generating devices not by mistake, as we all know very well, PDF files are highly weaponized to deliver active contents which can be harmful to users. From social engineering perspective, the idea of receiving an email from a printer has become so common place that in many cases it doesn't raise a red flag for users as a potential security threat - which is exactly what the cybercriminals want.

Highlighted Threat:

Scanner Spoof with Malicious Attachment- Cannon, HP and Epson brand printer scanners are being impersonated or spoofed by email and contain malicious attachments known to have malware. These cybercriminals are using clever malware in order to remain undiscovered to inflict the most amount of damage.

The Details:

Over the past month, we've been tracking activity from some clever cybercriminals who are spoofing printer / scanner attachments in emails to spread malware. We witnessed the initial attack in late November, which was soon followed by millions of attempts to infect unsuspecting users via email.

Typically the subject line of the malicious emails would read something like 'Scanned from HP', 'Scanned from Epson', or 'Scanned from Canon,' while containing a malicious file attachment with malware that seems to be clever in several ways:

1) Misusing file name extensions

These threats are using modified file names and extensions, inside the traditional file archive, which allows attackers to hide the malicious code inside the archive, imitating a '.jpg', '.txt' or any other format. This is possible by using various methods such as exploiting the WinRAR file extension spoofing vulnerability.

By misusing file name extensions, cybercriminals can easily bypass security measures including email antivirus systems and ultimately reach end user email accounts.

2) Remote file download

This malware attachment provides the attackers with the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. When the user clicks on the threat attachment, the malware is triggered and has configured communication protocols which are set up upon initial infection. This backdoor into the victim can allow unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more.

User wallpaper modification: These attackers are also changing victim's wallpaper by using a 'shell' command to get command prompt of the target. They send an image file to the victim's system and use an upload command and set image as the wallpaper.

Identify user/domain shares on the system: Once these attackers have compromised the users' systems with the malicious code in the attachment, they can simply open up Windows Explorer and search for shares on the system. They can leverage this to escalate from having user rights on the workstation to having local administrator rights, and easily search the domain SYSDOL DFS shares for XML files that contain credentials.

Identify the size of the disk:In addition, this malware can check for network-connected systems and attempt to connect to \FoundSystemNameC$. If it's successful in connecting, it has the potential to gain full access to the contents of that drive including the size of the disk.

Below are some examples of this threat to show how attackers are trying to convince victims to click on the attachment.

Take action: Safety Tips and Preventive Measures

Tips:

• If you didn't know a scanned document was coming, delete the file or double check with the sender to make sure that the person you think is sending a scanned document really intended to.
• Hover your mouse over every hyperlink to make sure it looks like it's legitimate.
• If there is any doubt or suspicion, don't click!

User Training and Awareness and Advanced Threat Protection- Employees or really anyone using email should be regularly trained and tested to increase their security awareness of various attacks like these phishing attempts. Simulated attack training is by far the most effective form of training.

Layering training with an email security solution that offerssandboxing and advanced threat protectionshould block spam, phishing attacks, and malware before it ever reaches the corporate mail server or user inboxes. Additionally, you can deployanti-phishing protectionwithLink Protectionto look for links to websites that contain malicious code. Attachments with malware are blocked, even if the malicious code is hidden in the contents of the attached document.