Can you trust attachments with unfamiliar extensions?

Microsoft’s security experts have warned on Monday about several email malware delivery campaigns exploiting the COVID-19 pandemic targeting companies in the US and South Korea.

What they have in common is the ultimate delivery of the Remcos RAT (remote administration tool/Trojan), a piece of malware that allows hackers to have full control over the infected system, and the fact that the attached files have some atypical extensions.

Target: Businesses

In one campaign the attackers are impersonating the US Small Business Administration (SBA) and attempt to deliver a malicious IMG (disk image) attachment.

“The IMG file contains an executable file that uses a misleading PDF icon. When run, the executable file drops Remcos, which allows attackers to take control of affected machines,” the researchers noted.

In another one the attackers are impersonating CDC’s Health Alert Network (HAN) and carry malicious ISO (disk image) file attachments. In a third one they pose as the American Institute of Certified Public Accountants and deliver a ZIP archive containing the ISO file (carrying a malicious SCR file with a misleading PDF icon).

IBM X-Force researchers have also recently warned about a variety of fake US SBA emails carrying malicious IMG (disk image) and Universal Disk Format (UDF) image files leading to the Remcos RAT.

The US SBA is a good choice for malware peddlers to impersonate at this time.

“On March 27, 2020, $376 billion in relief payments for workers and small businesses was allocated via the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The US SBA and the Department of Treasury are the designated outlets for providing information and guidance on the implementation of the CARES programs, but with people looking out for their applications, these fake emails are evidence of malicious actors already exploiting reliance on digital updates, which many are expecting as they plan to receive the allocated federal aid,” IBM X-Force researchers pointed out.

Target: Consumers

The aforementioned campaigns are obviously targeting businesses but, according to Kaspersky Lab researchers, Remcos RAT and other malware peddlers have not forgotten about consumers.

To make it more likely the recipients will download and open a malicious attachment, they are impersonating package delivery services and saying that the recipient must read or confirm the information in an attached file in order to receive a package that’s come in.

Again, the malicious attachments come with some unusual file extensions such as ACE (archive file) and the more familiar RAR and ZIP (also archive files).

The device people use to communicate online – a smartphone, desktop, or tablet – can affect the extent to which they are willing to overshare intimate or personal information about themselves, according to the researchers from University of Pennsylvania.

Can you trust attachments? Be careful

Malware peddlers will try every emails and attachment combination and permutation they can think of to get past email security filters and get users to open those files.

Needless to say, everybody should always be wary of opening attachments and links in unsolicited emails – whether they have a familiar file extension or not.

If you really can’t resist the temptation or you aren’t sure about your ability to spot fake, malicious emails, you can always test the attached file before opening it. The VirusTotal analyzer is a popular, easy to use, and the most thorough option for checking files for malware, but there are others as well.