New Word malware attacks infect systems without using macros

News by Rene Millman

Security researchers have discovered a new email spam campaign that tries to get users to open up Word document attachments that downloads a password stealer as its final payload.

Security researchers have discovered a new email spam campaign that tries to get users to open up Word document attachments that downloads a password stealer as its final payload. This particular attack is unusual as it does not use macros embedded in the document to infect systems.

According to a blog post by researchers at Trustwave, the payload uses a four-stage infection process to download the password stealer. 

Researchers detailed how the infection takes place. First, a user receives the spam email with the Word document attached. On opening that attachment, an OLE object in the file causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed.

This RTF file exploits the recent CVE-2017-11882 vulnerability that targets the MS Equation Editor tool. “When the RTF file is run, by decoding the ASCII to its equivalent values, it will execute an MSHTA command line which downloads and executes a remote HTA file,” said researchers.

The HTA file contains VBScript with obfuscated code. By decoding each character code in VBScript, it reveals a PowerShell Script which eventually downloads and executes a remote binary file. Finally, the final payload is password stealer malware.

The malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist

“It's pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,” said researchers.

Dr Guy Bunker, SVP of products at Clearswift, told SC Media UK that this attack also makes use of known vulnerabilities in another application, in this case the MS Equation Tool. 

“Keeping the OS and applications up to date with the most recent patches will close out vulnerabilities, meaning they cannot be exploited. Unfortunately, this is not a one-time effort, it is constant and required vigilance on behalf of the IT department to watch for new vulnerabilities being published and then patches / fixes being made available by the vendors. When a patch/fix is released, deploying it as soon as possible is essential,” he said.

Paul Ducklin, senior technologist at Sophos, told SC Media UK that putting off critical patches for remote code execution holes typically leaves users at the mercy of the crooks – “and mercy is a quality in short supply amongst cyber-criminals. It's better to be in a position to patch fast and roll back in the rare cases you need to, than to patch slowly and keep hoping you'll get away with it."

Ken Gilmour, CTO, invinsec, told SC Media UK that allowing only white-listed executables to run on the network is probably the best defence against something like this. “However, it can take significant resources and effort to implement and maintain such a system. The best defence is a layered one, which ensures that an attack needs to bypass multiple different systems in order to be successful,” he said.

Chris O' Brien, director of Intelligence Operations at EclecticIQ, told SC Media UK that having a rule / policy that blocks the running of macro enabled documents is a good thing, but far too generic to capture attacks like this one. “Generation of more appropriate rules requires better understanding of these sorts of attack vectors to identify what the core components of the attacks are and how they are misusing legitimate tooling for nefarious purposes,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews