A popular method of infecting users with malware has been via Microsoft Office documents that are loaded with malicious macros. Chiefly among these documents are those from Microsoft Word as they are easy to social engineer victims into downloading them. The major reason for hackers utilizing Office documents has to do with the exploitable nature of macros. It is for this reason that macros are disabled by default, but they can be enabled by the choice of the user. But a new Microsoft Word malware attack shows that macros are not necessary to infect a machine. The research coming out of the security company Trustwave details a macro-free malware attack via Word documents in email attachments. The goal of the attack is to steal user credentials in the unsuspecting user’s email, FTP, and browsers via a “multi-stage email Word attack.”
The attack is in four parts, which are as follows (with direct quotes from the Trustwave report):
- The .docx file (created with Word 2007) is opened and this “allows external access to remote OLE objects to be referenced in the document.xml.rels”
- An RTF file download is triggered, which then executes the RTF file that leverages exploit (CVE-2017-11882) that targets MS Equation Editor tool.
- The RTF file will “execute an MSHTA command line which downloads and executes a remote HTA file. The HTA file contains VBScript… By decoding each character code in VBScript, it reveals a PowerShell Script which eventually … executes a remote binary file.”
- The malicious payload is executed, stealing credentials “by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.”
The only defense against this particular Word malware is to practice common-sense cybersecurity strategies. Be wary of any email that comes from unknown sources, and most importantly, do not download any document unless you are absolutely certain that it is necessary.
Photo credit: Shutterstock
I imagine that Anti-Malware programs will have a very rough time in discovering such malware. One more reason for us to start relying more on our head and less on our security programs.
You get it, shame most don’t and make my job harder! LOL
Interesting “new” approach to attacking via Word. And yes, you should always exercise common sense in opening documents. But don’t forget the important step of keeping your patches current. CVE-2017-11882 was patched in November, 2017:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
I totally agree which is why I beat the drum of patch update management frequently in my articles. I tend to rant a lot about it. 🙂