Security researchers have warned that the Inception group of hackers is active again and using a year-old Office vulnerability to attack organisations in Europe.
According to a blog post by researchers at Palo Alto Networks, attacks against European targets were observed in October using CVE-2017-11882 and a new PowerShell backdoor, researchers dubbed Powershower.
The attack uses a feature of Microsoft Office called remote templates. This feature allows a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet.
Hackers have abused the feature as it means an initial document containing no explicitly malicious object, enabling it to bypass static analysis techniques. The attacker has the option to deploy malicious content to the victim based upon initial data received from the target, such as Microsoft Word version (sent in the User-Agent) and the IP address of the target.
"Once the attack is over, and the server hosting the remote template is down, it is difficult for researchers to analyse the attack as the remote content is unlikely to be available to them," said researchers.
When a victim opens a document it displays decoy content and attempts to fetch a malicious remote payload via HTTP. The decoy content is usually copied from media reports, often with political themes in the target regions. Examples of these have included invites to international conferences and news articles on the current situation in Crimea.
Researchers said the dropped payload of the malware acts as an initial reconnaissance foothold and is almost certainly used to download and execute a secondary payload with a more complete set of features.
"By only using this simple backdoor to establish a foothold, the attacker can hold back their most sophisticated and complex malware for later stages, making them less likely to be detected," researchers said.
This payload enables hackers to figngerprint the machine, and upload this information to the initial C&C, clean up a significant amount of forensic evidence from the dropper process, and run a secondary payload, if the attacker decides the target machine is sufficiently interesting (based on analysis of the system data sent from the first beacon).
Dan Pitman, principal security architect at Alert Logic, told SC Media UK that although the vulnerability is older, the style of attack seen here is similar to the "droppers" that Alert Logic have seen used more and more this year, including a similar one published back in October which also uses powershell to automate malicious activity (cleaning up other cypto-miners in that case) prior to the actual exploit payload is deployed.
"Ultimately, the lesson here is a traditional one; teach, patch, monitor - business must regularly educate employees and arm them with techniques to spot malicious activity and, almost more importantly, a clear route on what to do if they are suspicious," he said. "Though the first goal must be to make monitoring and governance a priority for all systems from business-critical web applications to end user services. We can’t stop attackers trying but we can limit their ability to capitalise on any mistakes made in the moment."