HP Threat Research Blog Spot the Difference: Tracking Malware Campaigns using Visually Similar Images

February 13, 2020 Category: Threat Research By: Alex Holland Comments: 0

Spot the Difference: Tracking Malware Campaigns using Visually Similar Images

Introduction

Malicious documents often contain images of fake program prompts that are designed to convince a user to perform an action, such as disabling Microsoft Office’s read-only mode (Protected View) and enabling macros. Some forms of trickery are more effective than others, often involving an appeal to a sense of urgency or authority. We see threat actors repeatedly reusing a small collection of cues and deceits in their social engineering images, likely because they have proven effective over time.

Since threat actors often reuse or only slightly tweak the social engineering images in their malware campaigns, they leave visual signatures of their activity. In this article, we describe how to track and detect malware families distributed in campaigns involving visually similar malicious documents using perceptual hash algorithms.[1] We have also released a script to demonstrate this technique called graph_similar_document_images.py.[2]

Top Social Engineering Images

From a sample of 250 malicious documents detected in 2019 we identified 32 distinct social engineering images. Table 1 shows the products and organisations that were most frequently imitated.

Product/Organisation Social Engineering Image Variants
Microsoft Word 12