Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection

Tags

External References

• https://otx.alienvault.com/

Description

A sophisticated ongoing attack has been discovered that evades antivirus software, prevents sandbox uploads, and bypasses Outlook's spam filters. The attackers deliberately corrupt files to conceal their type, making detection difficult for security tools. These corrupted files, often identified as ZIP archives or MS Office files, operate successfully within the OS but remain undetected by most security solutions. The attack exploits the recovery mechanisms of 'damaged' files in programs like Microsoft Word, Outlook, and WinRAR. The campaign has been active for several months, with the earliest instances dating back to August. The ANYRUN sandbox's interactivity allows it to identify this malicious behavior by launching the broken files in their corresponding programs.

Date