This year hackers have started using a new
strategy to distribute malware that you definitely need to know about. It's a bit more convoluted and complicated,
but also clever. But at the same time, if you know what to
look for, you can usually be able to protect against it relatively easily. So in this video, I'll explain what it is,
how it works, and of course, how to protect against it. Although just knowing about it is the best
way. So for some context, Microsoft, this year
actually disabled by default macro scripts in Microsoft Office programs like Word, Excel. And that was a very common vector that hackers
would use to distribute viruses. They would like attach a document to an email
that would have a macro embedded, which would run a script and install some malware. However, Microsoft announced last year, actually
in October that they were going to be disabling it by default and in July, 2022 they followed
up and disabled macros by default. However as you'd expect, hackers have already
started adapting to this using additional techniques. So you can actually see some of this research
done by a company called Proofpoint, where they have this graph that shows the reduction
in malware campaigns, since the initial announcement using macros, and the increase in a different method
using container files that we'll talk about. And here's another graph showing a different
file type LNK files, which are also being used in this technique, and you could see
how popular they are becoming now. Another important thing to note is hackers
have been a little bit more sophisticated recently, and apparently with a lot of these,
they're actually interacting with the victim via email a little bit before actually sending
the virus payload, or doing the main technique. They'll kind of interact with people, get
them thinking they're a real person first and then send it. So don't just think this is gonna be some
kind of obvious outta the blue email, with the suspicious attachment that you might usually
be used to. So with all that being said, let me actually
explain how this attack works. And also keep in mind, as I'm explaining each
step, it might seem very convoluted, and you might be thinking "What? Who would go through all these steps and fall
for this?" But remember that in the real world, this
whole process from receiving the email to being infected, might only take a matter of
seconds. It's just the way I'm explaining it is in
a lot of detail, so it seems like it's gonna take longer than
it actually will. So just remember that. So the first step of this attack is the victim
is gonna receive an email, asking them to look at some document. And again, the hacker may have been already
talking to this person a little bit beforehand. And they're basically, at this stage, going
to try to get you to download a zip file, but it's not gonna be that obvious,
they're gonna try and trick you into it. So the first possibility is it's going to
be a fake DocuSign or similar document signing email. Like this one is DocuSign and it says review
this document, but it's obviously not actually DocuSign, and it goes to download a file. And all of these are real examples gathered
from this Proofpoint company, and also a company called Palo Alto Networks, so that's where
I got these. Another interesting thing they might do is
actually attach an HTML file. So you open that, it's basically a webpage
file, and that'll also have some text saying, "here's the invoice, whatever", try to get
you to click a link. And that will also take you to a download. And the reason they do that is to probably
get around filters that are directly looking for links in the email itself. They might not be scanning for it in attachments. And third, they may just attach the zip file
to the email directly. The next thing that happens is presumably
the victim is going to open the zip file. But the thing is that in Windows, if you double
click to open a zip file, it just opens like any other folder. So if you're not on the lookout, this isn't
gonna necessarily raise any red flags, it looks like you just opened a folder. Also be aware though, that apparently in some
cases, the zip file is password protected. And in the email it says, "oh, here's the
zip file and it's password protected and here's the password". And the reason they do that is cause a password
protected zip file will be able to evade scans. So be very suspicious if you get a zip file
that's password protected. Next here's where it starts to get tricky. Inside the zip file is going to be some kind
of container file that the user is probably not gonna be familiar with. Recently, the most common one has been an
ISO file, which is actually a disk image file. It could also be a .img file is another type
of disc image, or maybe it could be something else entirely if they change it up. But regardless it will probably be named something
to look like a document, like "invoice" is one example they've been using. And most people at this point don't know what
a disc image is, or an ISO image, and Windows by default doesn't even show file extensions
anyway. So you might not know what that disc icon
means, and you might just say, "Oh, I guess it's some kind of weird document I've never
seen before". And then the victim will double click to open
this ISO file. And then next what happens is behind the scenes,
after you open this image file, it will actually mount that image. So if you were to actually go and look at
the other drives on your computer, like under This PC, it would actually now show as a virtual
disc. But the thing is, if you click to open this,
windows does all that automatically and takes you right into it. So it again, to the user, looks like you just
went into another folder, you don't realize that all that happened. So now we get to the final step of the attack. But remember at this point, the user, all
they think they've done is clicked into a couple folders. It probably took like two seconds, despite
me taking a while to explain all of it. It went by really quick, so it might not have
raised any red flags. So now once you're inside this container which
again looks like you're just in a folder, there's going to be a couple files. One is gonna be just a Windows shortcut. Yes, like as if you right-clicked create shortcut,
it's gonna look like that. But it's also gonna have the actual virus
payload, some kind of executable, and it might actually be hidden so you might not even see
that. But the LNK file, or shortcut, will be called
something to entice you to click it, like it'll be called "attachment" or "document",
something like that. And when the user clicks that, that actually
has a command embedded in the shortcut to run the other executable file. And that is what infects the system. And if you're wondering why it has you click
a shortcut link instead of just clicking the virus directly, it's basically just to get
around the virus scanners, and it might be running, not an exe file, but it might be
a DLL file. Not gonna get into it, there is a reason for
it though. Anyway, regardless after the person clicks
the shortcut link, which again might be named like a document or something, you are infected. It runs the virus and you're infected. So how do you actually spot and defend against
this type of attack? I'll try to give some tips that are a little
bit more general in case they do switch it up a bit. First of all, no matter who you are, I would
highly recommend you enable windows to always show, file extensions. So to do this, you can do it in Windows 10
by clicking this checkbox here in Explorer. And if you're in windows 11, you just go to
this menu, drop down and click this here. And this is basically just gonna let you always
know exactly what type of file you're dealing with, even if not just for security purposes,
but in general, I would like to know exactly what type of file I'm opening. You know, what program is gonna open it. And it just gives me a little bit more information. But it also does protect against viruses that
may be named to disguise themselves as another file extension. For example, it could be like "Example.Docx.exe". And if you don't have file extensions enabled,
you might see the Docx and think, "Oh, for some reason it's showing the file extension,
but I guess it's a document" and click it, not realizing it's not actually that. Now the next general tip that is directly
related to this is if you're gonna click on a file at all, always know exactly what it
does. And if you don't know what it does, don't
click on it. And even if you don't have file extensions
enabled the details view of windows, Explorer, where it shows like the list with the columns
of data, it'll still have that "Type" column. And that'll tell you what type of file it
is, but you still probably wanna have the file extension too, because you know, a lot
of people might just give it the benefit of the doubt. They're like, "I don't know what this is. It's called invoice, I'll click on it, seems
fine". But this way if you simply recognize, "I don't
know what this is", then you don't have to worry about it, you won't click it. And for the third general tip, it now looks
like we really have to be careful and watch out for Windows shortcut files. And definitely pay attention to this, this
is important, there's a few layers to it. So we already saw that shortcut files, if
you click on them, they can be used to execute a virus file that could even be hidden, you might not see it. But an important thing to understand first
about shortcut files is behind the scenes, they're actually a .LNK file. So yes, Windows shortcuts do actually have
a file type. However, even if you have the setting to view
file extensions always enabled in windows Explorer, it will not actually show .LNK files
on shortcuts, even if you have all the other ones viewed. And the reason you need to know that, is because
I could see theoretically, a hacker creating a shortcut file that looks like a document
by naming it "example.pdf", and you might click it thinking, "Oh, well I have file extensions
enabled, I see that's a PDF file, it must be safe to click". But behind the scenes, it's actually Example.PDF.LNK. And it's actually a shortcut that goes and
executes a virus. But you didn't notice that there was actually
that shortcut symbol on the icon and you didn't realize it was a shortcut. So now we have to watch out to see if any
kind of attached files or whatever are secretly a shortcut file. And you can again do that by either looking
at the Type column, it'll say a shortcut, or usually the icon will also add that little
shortcut symbol there. So definitely watch out for that. And I mean, the main ultimate general tip
is don't click on suspicious links that you weren't expecting or attachments, even if
they're zip files, whatever. If you weren't expecting it, you don't know
exactly who this person is, doesn't matter what they say the file is, don't click it. Maybe consult your IT department, see what
they think about it. Now as a quick recap for some things to watch
out for in this attack, if you see any kind of disc image file, either ISO or .img that's
pretty much a dead giveaway. No one's gonna be sending you an image file,
especially if it's supposed to be a document, no way. Also like I just said, if you see a shortcut
that's named like a file, or any kind of shortcut really, don't click that. And third, remember that they might change
up these file types. Don't think, "Oh, well it's not an ISO file, guess it must be safe". Could be an image file, I think they're also
using .RAR files, that's another type of container. Just if you don't recognize it or it's not
a document, don't click it at all, if you download it in the first place, which you
probably shouldn't have. So I know this attack was a little bit more
complicated and you might not remember everything, but hopefully you'll remember something if you do come across this, it'll just ring
some bells to be more suspicious. So if you did find this helpful, definitely
gimme a thumbs up, let me know what you think down the comments, love to hear from you. And if you wanna subscribe also consider clicking
the bell next to the subscribe button to enable all notifications. I post only about twice a week, you don't
want those getting lost in the rest of your subscriptions. Now speaking of zip files, if you wanna keep
watching the next video I'd recommend is where I was talking about how a lot of file types
you may be familiar with are actually zip files. For example, did you know that Word document
files are actually just zip files renamed? I'm not kidding, you can click that and see
what that's all about. So thanks so much for watching and I'll see
you in the next one.
