Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents-Reference-Cited by-同舟云学术

Analysis and Correlation of Visual Evidence in Campaigns of Malicious Office Documents

Published:2022-03-25 Issue: Volume: Page:
ISSN:2692-1626
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Casino Fran¹,Totosis Nikolaos²,Apostolopoulos Theodoros³,Lykousas Nikolaos³,Patsakis Constantinos⁴

Affiliation:

1. Department of Computer Engineering and Mathematics, Universitat Rovira i Virgili, Tarragona, Spain, and Information Management Systems Institute of Athena Research Center, Greece,

2. Hatching, Netherlands,

3. Department of Informatics, University Piraeus, 80 Karaoli & Dimitriou str, 18534 Piraeus, Greece,

4. Department of Informatics, University Piraeus, 80 Karaoli & Dimitriou str, 18534 Piraeus, Greece, and Information Management Systems Institute of Athena Research Center, Greece,

Abstract

Many malware campaigns use Microsoft (MS) Office documents as droppers to download and execute their malicious payload. Such campaigns often use these documents because MS Office is installed on billions of devices and that these files allow the execution of arbitrary VBA code. Recent versions of MS Office prevent the automatic execution of VBA macros, so malware authors try to convince users into enabling the content via images that, e.g. forge system or technical errors. In this article, we propose a mechanism to extract and analyse the different components of the files, including these visual elements, and construct lightweight signatures based on them. These visual elements are used as input for a text extraction pipeline which, in combination with the signatures, is able to capture the intent of MS Office files and the campaign they belong to. We test and validate our approach using an extensive database of malware samples, obtaining an accuracy above 99% in the task of distinguishing between benign and malicious files. Furthermore, our signature-based scheme allowed us to identify correlations between different campaigns, illustrating that some campaigns are either using the same tools or collaborating between them.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Computer Science Applications,Hardware and Architecture,Safety Research,Information Systems,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3513025

Reference32 articles.

1. Mamoun Alazab and Roderic Broadhurst . 2016. Spam and criminal activity. Trends and issues in crime and criminal justice526 ( 2016 ), 1–20. Mamoun Alazab and Roderic Broadhurst. 2016. Spam and criminal activity. Trends and issues in crime and criminal justice526 (2016), 1–20.

2. Automated microsoft office macro malware detection using machine learning

3. David Bianco. 2013. The Pyramid of Pain. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html. David Bianco. 2013. The Pyramid of Pain. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html.

4. Fran Casino Tom Dasaklis Georgios Spathoulas Marios Anagnostopoulos Amrita Ghosal Istvan Borocz Agusti Solanas Mauro Conti and Constantinos Patsakis. 2021. A cross-domain qualitative meta-analysis of digital forensics: Research trends challenges and emerging topics. arXiv preprint arXiv:2108.04634(2021). Fran Casino Tom Dasaklis Georgios Spathoulas Marios Anagnostopoulos Amrita Ghosal Istvan Borocz Agusti Solanas Mauro Conti and Constantinos Patsakis. 2021. A cross-domain qualitative meta-analysis of digital forensics: Research trends challenges and emerging topics. arXiv preprint arXiv:2108.04634(2021).

5. Intercepting Hail Hydra: Real-time detection of Algorithmically Generated Domains

Cited by 9 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Exploring the Malicious Document Threat Landscape: Towards a Systematic Approach to Detection and Analysis;2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW);2024-07-08

2. CAFE: Robust Detection of Malicious Macro based on Cross-modal Feature Extraction;2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD);2024-05-08

3. Enhancing Cybersecurity With P-Code Analysis and XGBoost: A Novel Approach for Malicious VBA Macro Detection in Office Documents;IEEE Access;2024

4. Enhancing Malware Detection Reliability in Non-Executable Files Using Confidence Score Prediction;2024

5. Short- versus long-term performance of detection models for obfuscated MSOffice-embedded malware;International Journal of Information Security;2023-08-14