Attackers using a Word zero-day to spread malware

by Bill Brenner
Read Full Article at Naked Security

Attackers are using a previously undisclosed security hole in Microsoft Word to install a variety of malware on victims’ computers. Microsoft knows about the zero-day and is expected to patch it later today. As we await that security update, here’s a review of the bug and the available defenses.

In its investigation, SophosLabs determined that exploits against this vulnerability have been happening for some time. SophosLabs principal researcher Gábor Szappanos said:

This vulnerability has been used for months in targeted attacks. Most of the activity went on in March-April 2017, but the first sample we could locate dates back to November 2016.

What we know so far

The vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort.

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

Naked Security’s Paul Ducklin reviewed SophosLab’s findings and said of the attack technique:

“It’s a bit like wearing overalls to get into a fancy dinner party venue by blagging your way in the front door as the plumber come to do a quick check for a possible leak in the Gents. Once inside, you strip off to the dinner jacket you’re wearing under the overalls, so you now pass muster as a dinner guest, with everyone assuming you showed your invitation at the door already. Dressed up properly in the DJ wouldn’t have got you in through the lobby at the start, because of no invitation, and the overalls wouldn’t have got you into the dining room, because of violating the dress code. So you wear the right clothes at the right moment and subvert both places where you would otherwise get spotted.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.”

Additional defensive measures

As mentioned, Microsoft will release a patch for the vulnerability. Meantime, Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

Additional advice, for this threat and many others, include the following:

  • If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
  • It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
  • Watch for Microsoft’s patch, and – once it’s released – install immediately.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.

000-017   000-080   000-089   000-104   000-105   000-106   070-461   100-101   100-105  , 100-105  , 101   101-400   102-400   1V0-601   1Y0-201   1Z0-051   1Z0-060   1Z0-061   1Z0-144   1z0-434   1Z0-803   1Z0-804   1z0-808   200-101   200-120   200-125  , 200-125  , 200-310   200-355   210-060   210-065   210-260   220-801   220-802   220-901   220-902   2V0-620   2V0-621   2V0-621D   300-070   300-075   300-101   300-115   300-135   3002   300-206   300-208   300-209   300-320   350-001   350-018   350-029   350-030   350-050   350-060   350-080   352-001   400-051   400-101   400-201   500-260   640-692   640-911   640-916   642-732   642-999   700-501   70-177   70-178   70-243   70-246   70-270   70-346   70-347   70-410   70-411   70-412   70-413   70-417   70-461   70-462   70-463   70-480   70-483   70-486   70-487   70-488   70-532   70-533   70-534   70-980   74-678   810-403   9A0-385   9L0-012   9L0-066   ADM-201   AWS-SYSOPS   C_TFIN52_66   c2010-652   c2010-657   CAP   CAS-002   CCA-500   CISM   CISSP   CRISC   EX200   EX300   HP0-S42   ICBB   ICGB   ITILFND   JK0-022   JN0-102   JN0-360   LX0-103   LX0-104   M70-101   MB2-704   MB2-707   MB5-705   MB6-703   N10-006   NS0-157   NSE4   OG0-091   OG0-093   PEGACPBA71V1   PMP   PR000041   SSCP   SY0-401   VCP550   352-001   101   102-400   MB2-707   70-178   JN0-102   640-911   ICGB   350-001   70-246   000-089   300-135   9A0-385   1V0-601   70-412   70-347   300-070   000-104   350-060   200-310