More cybercriminals used object linking and embedding , or OLE packages , to deliver malware content during the first quarter of 2017 , according to cybersecurity technology and services company PhishMe Intelligence . The cyberthreat trend first was observed in December 2016 , closely associated to the delivery of the Ursnif botnet malware , PhishMe said . The OLE technique abuses Attack.Phishing Microsoft Office documents by prompting Attack.Phishing a victim to double-click an embedded icon to access some type of content . These objects are used to write a script application to the disk that facilitates the download and execution of a malware payload , PhishMe said . This method adds another set of techniques cybercriminals can use to evade anti-analysis and sandbox settings and to successfully infect computer systems , the company said . The threatening documents employ a similar look and feel to Microsoft Office documents using macro elements for malware delivery , but they do not feature the distinctive “ enable macros ” banner , PhishMe said . As a result , these documents defy the expectations for the delivery of malware that have been prominent in recent years . For example , a macro element can display icons or text that instruct a victim to “ enable editing ” in order to interact with a document and view content , but a document using the threatening OLE packages will not feature the characteristic yellow “ enable macros ” banner . The technique allows cybercriminals to deploy malicious files to a victim ’ s machine . Real and fake documents look similar , and the fake ones can fool Attack.Phishing even computer users who know what a macro looks like . A screen shot of the OLE Malware There are several reasons why these recent phishing campaigns Attack.Phishing distributing infected Microsoft OLE packages are particularly tricky Attack.Phishing to deal with , said Rohyt Belani , co-founder and CEO of PhishMe . “ First , because the malware is disguised as Attack.Phishing an unassuming Office document , threat actors can often use this technique to bypass the IT department ’ s sandbox environments , detection software or analysis tools that help identify malicious documents , attachments and links , ” Belani said . “ Second , since so many healthcare organizations rely on Microsoft Office applications to run their day-to-day business operations , security professionals can ’ t completely block Office documents entirely from e-mail systems . When technology layers fail and let these types of threats land in the inbox , there ’ s really one last line of defense to ensure these attacks don ’ t succeed – the employees themselves , Belani said . “ Humans , the end-users , are the linchpin for securing against attacks delivering sneaky payloads that easily bypass existing technology stacks , ” Belani said . “ We recommend healthcare CISOs seriously consider building strong phishing defense programs that transform employees into human sensors at the heart of the phishing defense strategy. ” Through behavioral conditioning , employees will become contextually aware of the e-mail content that enters their inbox , increasing their ability to recognize and report suspicious communications that very well may be phishing threats like OLE payloads , Belani said . “ By empowering employees to report suspicious e-mails directly to a healthcare organization ’ s security operations center , ” Belani added , “ this will drastically speed incident response capabilities to neutralize these threats before any major damage is inflicted . ”

Check your security with our instant risk assessment , Security Preview Get insight into the most topical issues around the threat landscape , cloud security , and business transformation . See how Zscaler enables the secure transformation to the cloud . Zscaler is the preferred choice of leading organizations . Watch how Jabil achieved security at scale with Zscaler . Nintendo recently released Super Mario Run for the iOS platform . In no time , the game became a sensational hit on the iTunes store . However , there is not yet an Android version and there has been no official news on such a release . Attackers are taking advantage of the game 's popularity , spreading malware posing as Attack.Phishing an Android version of Super Mario Run . The ThreatLabZ team wrote about a similar scam that occurred during the release of another wildly popular Niantic game , Pokemon GO . Like that scam , the new Android Marcher Trojan is disguised as Attack.Phishing the Super Mario Run app and attempts to trick Attack.Phishing users with fake finance apps and a credit card page in an effort to capture banking details . Once the user 's mobile device has been infected , the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details . Unsuspecting victims will provide the details that will be harvested and sent out to to the malware 's command and control ( C & C ) server . We have seen this malware evolve and take advantage of recent trends in order to target a large number of users . We have covered similar campaigns in the past related to Marcher malware here and here . Technical details In this new strain , the Marcher malware is disguised as Attack.Phishing the Super Mario Run app for Android . Knowing that Android users are eagerly awaiting this game , the malware will attempt Attack.Phishing to present a fake web page promoting its release . In previous variants of Marcher , we observed this malware family targeting well-known Australian , UK , and French banks . The current version is targeting account management apps as well as well-known banks . Like previous Marcher variants , the current version also presents Attack.Phishing fake credit card pages once an infected victim opens the Google Play store .

Check your security with our instant risk assessment , Security Preview Get insight into the most topical issues around the threat landscape , cloud security , and business transformation . See how Zscaler enables the secure transformation to the cloud . Zscaler is the preferred choice of leading organizations . Watch how Jabil achieved security at scale with Zscaler . Nintendo recently released Super Mario Run for the iOS platform . In no time , the game became a sensational hit on the iTunes store . However , there is not yet an Android version and there has been no official news on such a release . Attackers are taking advantage of the game 's popularity , spreading malware posing as Attack.Phishing an Android version of Super Mario Run . The ThreatLabZ team wrote about a similar scam that occurred during the release of another wildly popular Niantic game , Pokemon GO . Like that scam , the new Android Marcher Trojan is disguised as Attack.Phishing the Super Mario Run app and attempts to trick Attack.Phishing users with fake finance apps and a credit card page in an effort to capture banking details . Once the user 's mobile device has been infected , the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details . Unsuspecting victims will provide the details that will be harvested and sent out to to the malware 's command and control ( C & C ) server . We have seen this malware evolve and take advantage of recent trends in order to target a large number of users . We have covered similar campaigns in the past related to Marcher malware here and here . Technical details In this new strain , the Marcher malware is disguised as Attack.Phishing the Super Mario Run app for Android . Knowing that Android users are eagerly awaiting this game , the malware will attempt Attack.Phishing to present a fake web page promoting its release . In previous variants of Marcher , we observed this malware family targeting well-known Australian , UK , and French banks . The current version is targeting account management apps as well as well-known banks . Like previous Marcher variants , the current version also presents Attack.Phishing fake credit card pages once an infected victim opens the Google Play store .