In terms of cybersecurity, a zero day attack is one who exploits a vulnerability unknown by the developer or software provider. Since the error that allows it is not known, There is no official patch or solution to correct it.which gives attackers the opportunity to exploit it without encountering resistance. An attack of this type is the one recently reported by the cybersecurity firm Any.run.
This scam, which could be called the words corrupt deputytakes advantage of one of the weaknesses that most antivirus systems have: the absence of damaged file recovery systems that allow them to scan one that is damaged. Therefore, the malicious file passes through security systems without being detected and the very fact that it cannot be used makes the user assume that there is no security problem, but rather a functional problem.
Any.run has detected a campaign that, under the pretext of a communication from the human resources department of a company, attaches a file with the termination .docxcorresponding to the word processor Microsoft Worddeliberately corrupted so that it cannot be read or opened by Word or other programs, such as an antivirus.
‘Attackers take advantage of recovery mechanisms for “damaged” files so that corresponding programs such as Microsoft Word, Outlook or WinRAR, which have built-in recovery procedures, can handle such files without problems‘ explains Any.run in a post on X.
🚨 ALERT: Potential ZERO-DAY, Attackers Use Corrupted Files to Evade Detection 🧵 (2/3)
When analyzing a corrupted file, it is mostly identified as a #ZIP archive or MS Office file💢 Security solutions attempt to extract its contents, assuming they need to scan the files… pic.twitter.com/Yh96yxrcRD
— ANY.RUN (@anyrun_app) November 25, 2024
In this case, with the corrupted file checked by VirusTotalan online service that analyzes files with more than 70 antivirus engines searching for cybersecurity threats, no threats are detected. The reason, already mentioned, is that most antivirus programs and automated tools do not have the recovery function found in applications like Word or others. This prevents them from accessing the contents of the damaged file, so they cannot detect the threat.
So, once the security filters that the user or the network of which the equipment is part of have passed, When you try to open the unreadable file, Word will inform you that it is corrupted and give you the option to recover it. Task that the application performs to display content that is a QR code that leads to a phishing pagein this case, impersonating Microsoft to obtain the user’s access credentials.
Although in this example it has been detected with .docx files, it is not the only format that attackers can use. Using the same tactic to evade antivirus, attackers also launch corrupted files with malicious software inside that applications like WinRAR can restore to be opened by the user.
How to protect yourself against these threats that escape most antivirus programs? There are security solutions, such as Any.run, which Open the suspicious files with the corresponding application in a safe environment where it can do no harm and thus check if the corrupt file hides any surprises.