While it is generally believed that organisations can protect themselves from phishing attacks if they train their employees to stay alert and not download content from unknown sources, how can an organisation protect itself if hackers succeed in triggering malware inside devices even when employees don't download malicious Word documents?
This was the question raised by security researchers at Bromium who recently observed a new malware infiltration technique that involves the execution of malware even if the user does not open the Word document containing the malware.
The researchers also discovered that the malware executes its tasks even if the file is marked as coming from an untrustworthy location and is capable of ensuring that the payload is not scanned by some antivirus APIs.
A detailed analysis of this injection technique revealed that the malware gets triggered when a user clicks on a document on Outlook or Windows Explorer to generate a small preview of the document. Since Microsoft ensures that all macros are turned off when a document is scanned to generate a preview either in Outlook or Windows Explorer, the malware execution takes place with the help of PowerShell executing inside the Explorer Preview pane.
"As expected, the document does not contain a macro, but instead, it makes use of a feature of RTF document format that allows the embedding of Excel using ‘\objupdate’ to force an update. It contains five embedded Excel workbooks in the footer, each holding some base64 encoded text in cell G135.
"The embedded workbook itself does contain a macro that runs on opening of Excel, which in turn reads the content of cell G135 and converts that text into the script to run in PowerShell. This results in a child Excel instance that isn’t running in the same security state as the preview process that launched it, which in turn gives the attacker the ability to launch PowerShell," the researchers explained.
Traditionally, hackers employ phishing tactics and social engineering to trick employees into opening malicious documents as the Office Protected View feature automatically disables macros in documents that arrive from untrustworthy sources, thereby preventing the malware from exploiting macros to execute or download its payload when a preview is generated.
However, the Office Preview process does not check whether the source of a document is trustworthy or not before a preview is generated, and this allows malicious actors to launch PowerShell which, in turn, triggers the malware. This is because the disabling of macros alone is considered as sufficient enough to prevent the injection of malware at the preview-generation stage.
The researchers added that since the attack also works with the preview mode in Outlook, the risk of infection increases as the user does not need to save the file to disk so that it could be run by the Explorer Preview. Just clicking on the attachment in Outlook with previews enabled would be enough for the attack to work.
They also noted that this attack mode would have a significantly higher chance of success than other attack methods that we traditionally see in Office documents. With the reduction in social engineering required for the attack to be successful, even well-trained users will be at risk of infection.
Commenting on the discovery of the new malware injection technique, Maor Hizkiev, CTO and co-founder at BitDam, told SC Media UK that attackers continue to find new and increasingly effective ways to bypass security solutions. As most legacy security solutions can only detect attacks they've seen before, slightly tweaked iterations will fly under their radar, which is precisely the case here.
"Perhaps more alarming is the attack vector’s ability to circumvent the vigilance and watchfulness of cyber-literate employees by installing the payload before the malicious document has even been opened. If employees are totally helpless in protecting their devices the responsibility to do so lies with the employer. The only means of doing this is to adopt a proactive solution that prevents the attack from reaching employee inboxes in the first place," he added.