Windows 10 ActiveX control hacked to execute TrickBot dropper

News by Rene Millman

Hackers are exploiting a Windows 10 ActiveX control to download a malware downloader called Ostap, which has been used by TRickBot for delivery of malicious macros as part of phishing campaign

Hackers are exploiting a Windows 10 ActiveX control to download a malware downloader called Ostap, which has been used by TRickBot for delivery.

According to a blog post by security researchers at Morphisec, attackers use the ActiveX control for automatic execution of the malicious macro following it being enabled in a malicious document.

As part of a phishing campaign, hackers send emails to potential victims with Word document attachments and ask them to open it. A malicious macro is executed and underneath an image, hidden from view is an ActiveX control. The malicious OSTAP JavaScript downloader is then hidden in white coloured letters in between the content, so it’s not visible to people but can be seen by machines, according to researchers.

When investigating the ActiveX control, researchers found it using the MsRdpClient10NotSafeForScripting class (which is used for remote control). Researchers discovered that the Server field is empty in the script, which will later cause an error that the attackers will actually abuse to properly execute their own code. 

“The OSTAP will not execute unless the error number matches exactly to "disconnectReasonDNSLookupFailed" (260); the OSTAP wscript command is concatenated with a combination of characters that are dependent on the error number calculation,” said Michael Gorelik of Morphisec.

He added that the malware will not work on workstations that are not updated to windows 10. Within a macro, the OnDisconnected function is used as a trigger and form a backdoor for taking in a .BAT file.

Gorelik said that the batch file will execute wscript back with its own content. “An old trick using comments that the BAT will disregard during the execution of wscript (non-recognised command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax),” he said.

Gorelike warned that updating operating systems is necessary for better security, even though it doesn’t always serve that purpose.

“This example with OSTAP makes it clear that this doesn’t always work. Even with an updated OS, there remains a need for preventive measures such as attack surface reduction, moving target defense, and hardening,” he added. “There are hundreds more objects that have been introduced in the latest Windows 10 and even dozens more methods in the described object that sophisticated attackers can abuse.”

Jake Moore, cyber-security expert at ESET, told SC Media UK that it goes without saying that Windows operating systems require immediate updating when patches are released.

“The problem is that many organisations have a certain lead time to roll these out – whether this is because of home workers, a lack of internal IT staff, or simply procrastination. Malicious macros are nothing new, and the underlying attack has remained, but enabling macros is essentially a button asking for remote access disguised as another notification. Therefore, unknowingly, employees hand over total access to their machines and allow malicious actors to start controlling them,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews