New threat vector: Latest Microsoft Word malware doesn’t use macros to unleash attack

A popular method of infecting users with malware has been via Microsoft Office documents that are loaded with malicious macros. Chiefly among these documents are those from Microsoft Word as they are easy to social engineer victims into downloading them. The major reason for hackers utilizing Office documents has to do with the exploitable nature of macros. It is for this reason that macros are disabled by default, but they can be enabled by the choice of the user. But a new Microsoft Word malware attack shows that macros are not necessary to infect a machine. The research coming out of the security company Trustwave details a macro-free malware attack via Word documents in email attachments. The goal of the attack is to steal user credentials in the unsuspecting user’s email, FTP, and browsers via a “multi-stage email Word attack.”

The attack is in four parts, which are as follows (with direct quotes from the Trustwave report):

  1. The .docx file (created with Word 2007) is opened and this “allows external access to remote OLE objects to be referenced in the document.xml.rels”
  2. An RTF file download is triggered, which then executes the RTF file that leverages exploit (CVE-2017-11882) that targets MS Equation Editor tool.
  3. The RTF file will “execute an MSHTA command line which downloads and executes a remote HTA file. The HTA file contains VBScript... By decoding each character code in VBScript, it reveals a PowerShell Script which eventually ... executes a remote binary file.”
  4. The malicious payload is executed, stealing credentials “by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.”

The only defense against this particular Word malware is to practice common-sense cybersecurity strategies. Be wary of any email that comes from unknown sources, and most importantly, do not download any document unless you are absolutely certain that it is necessary.

Photo credit: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

5 ways to automate Kubernetes cluster management

While there are a several tools and platforms to automate Kubernetes cluster management, it’s important…

1 hour ago

DevSecOps best practices to ensure quick and secure development

Organizations looking to unite application developers, security teams, and IT operations must implement DevSecOps best…

4 hours ago

Microsoft 365 administration: More on configuring Microsoft Teams

Our Microsoft 365 administration series continues with more on configuring Microsoft Teams. In this article,…

22 hours ago

Review: Powerful and secure faxing solution GFI FaxMaker

GFI FaxMaker is a powerful and complete solution that should meet the requirements of every…

1 day ago

Port in a storm: Creating port ACLs for Hyper-V for better security

There’s no rule that says that you have to make use of port ACLs, but…

1 day ago

Network appliances: A third way when servers and cloud just won’t cut it

If the cloud doesn't seem right and buying a server costs too much, maybe network…

2 days ago