A popular method of infecting users with malware has been via Microsoft Office documents that are loaded with malicious macros. Chiefly among these documents are those from Microsoft Word as they are easy to social engineer victims into downloading them. The major reason for hackers utilizing Office documents has to do with the exploitable nature of macros. It is for this reason that macros are disabled by default, but they can be enabled by the choice of the user. But a new Microsoft Word malware attack shows that macros are not necessary to infect a machine. The research coming out of the security company Trustwave details a macro-free malware attack via Word documents in email attachments. The goal of the attack is to steal user credentials in the unsuspecting user’s email, FTP, and browsers via a “multi-stage email Word attack.”
The attack is in four parts, which are as follows (with direct quotes from the Trustwave report):
- The .docx file (created with Word 2007) is opened and this “allows external access to remote OLE objects to be referenced in the document.xml.rels”
- An RTF file download is triggered, which then executes the RTF file that leverages exploit (CVE-2017-11882) that targets MS Equation Editor tool.
- The RTF file will “execute an MSHTA command line which downloads and executes a remote HTA file. The HTA file contains VBScript… By decoding each character code in VBScript, it reveals a PowerShell Script which eventually … executes a remote binary file.”
- The malicious payload is executed, stealing credentials “by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.”
The only defense against this particular Word malware is to practice common-sense cybersecurity strategies. Be wary of any email that comes from unknown sources, and most importantly, do not download any document unless you are absolutely certain that it is necessary.
Photo credit: Shutterstock