Hackers are getting around security protections in Microsoft Office applications with new techniques that use no macros.
According to a blog post by Jérôme Segura, a Malwarebytes security researcher, hackers could use an infection vector that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology.
"By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification," he said.
The file format, specific to Windows 10 called .SettingContent.ms, is essentially XML code that is used to create shortcuts to the Control Panel.
"This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe. And the rest is history," said Segura.
This research follows on from a discovery by security researcher Matt Nelson. In the intervening weeks since the discover, FireEye security researcher Nick Carr has been tracking such attacks with a number of updates on Twitter.
Carr said that the latest examples will download and run a file containing a remote access trojan called Remcos.
Segura said that while there has been little development with web exploit kits, there has been a lot of activity with document exploit kits such as Microsoft Word Intruder (MWI) or Threadkit.
"These toolkits allow attackers to craft lures and embed the exploit(s) of their choice before either spear phishing their victims or sending the file via larger spam campaigns. At the same time, it looks like classic social engineering attacks aren’t going anywhere anytime soon and will keep capitalising on the human element," said Segura.
Lotem Finkelsteen, Threat Intelligence team leader at Check Point, told SC Media UK that good approach to defending against these evolving attacks is to focus less on the specific exploit technique, and instead focus on the attack vector.
"Documents usually drop or download second-stage malware, which then leads to the main attack. It doesn’t really matter how it does this, whether by exploiting Office or executing a macro," he said.
"Running the document in an isolated environment such as a sandbox and tracking the infection chain, would ensure detection of malicious behavior (such as unexpected access to the internet or a new file being dropped out of the document). The next new technique is just around the corner and organisations should adopt advanced security technologies to be able to cope with the evolving threat landscape."
Lewis Henderson, VP at cybersecurity experts Glasswall Solutions, told SC Media UK that this type of file manipulation is incredibly smart by the teams creating the malware, as it becomes a significant challenge for organisations to defend against, who often turn to disabling functions on endpoints as a prevention method – this causes significant user frustration and can slow down business processes.
"Whilst effective for specific malware campaigns, it is not optimal to defend within your perimeter and on critical assets such as endpoints, as the malicious code is already within the organisation looking for a victim. Organisations need to be looking at alternative technologies that defend at the gateway, which is a challenge given Microsoft’s own protection services fail to stop these specific attacks, and it ends up being specific files hashes used to filter – this is not effective at all," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout