This UK based Biotech firm has business links to China, and it turns out the attackers knew this. Using a legitimate Chinese manufacturer located in the Liaoning Province, it appears attackers have infiltrated the manufacturer and taken over their email systems at an administrator level. The email account created to send the malware from is no longer valid, giving indication the attackers had high level access, and removed the account once their payload had been sent to hide their steps. The malicious payload was hidden in an old Microsoft Excel Spreadsheet (Office ’97-’03), which contained not only Macros but also Embedded Files – a common technique used by hackers to have a Macro ‘trigger’ and an encrypted file payload to hide from cyber security defences.
How we protected our customer
Since our customer has a varied supply chain, it is not possible for them to shut out older Office formats, despite them carrying the highest risk in terms of malware. They rely on Glasswall to sanitise all Office file types from any active content such as Macros, prior to the file being completely regenerated, and it’s this method that ensured the attacker was unsuccessful, despite the level of sophistication they demonstrated. About 10% of all malicious files that Glasswall encounters are Excel files, of which 98% contain a macro – this provides some insight to drive Policy changes, and rethink the risks associated with email attachments.