Multi-Stage Word Attack Without Macros

Multi-Stage Word Attack Without Macros

Spam publishers are using a new technique to infect users with malware. Although this attack relies on users opening Word documents, it does not require users to allow macro script execution.

This new non-macro technique is currently under active development, and researchers at Trustwave SpiderLabs are investigating malware activity.

The company states that scammers are using this multi-stage, non-macro technique to infect users with password stealers. Currently, there is evidence that only one organization is using this novel tactic, although it is certain that others will adopt it.

Development Chain of New Technology

The actual development chain is detailed below and relies on a variety of resources such as DOCX, RTF, HTA, VBScript, and PowerShell.

The victim receives a spam email with a DOCX file attachment.⏩ The victim downloads and opens the DOCX file.⏩ The DOCX file contains embedded OLE objects.⏩ The OLE object downloads and opens an RTF (disguised as DOC) file.⏩ The DOC file exploits the CVE-2017-11882 Office formula editor vulnerability.⏩ The exploit code runs the MSHTA command line.⏩ The MSHTA command line downloads and runs an HTA file.⏩ The HTA file contains VBScript that unzips a PowerShell script.⏩ The PowerShell script downloads and installs the password stealer.⏩ The malware steals passwords from browsers, email, and FTP clients.⏩ The malware uploads the data to a remote server.

Multi-Stage Word Attack Without Macros

Trustwave reports that it has seen this attack method being used to send malicious files via email.

TNT STATEMENT OF ACCOUNT – {random numbers}……………

Request for Quotation (RFQ) – < {random numbers} >

Telex Transfer Notification

SWIFT COPY FOR BALANCE PAYMENT

The only way to remain safe if users somehow break the development chain of this new technology is to keep Windows and Office updated.

Microsoft released a patch in the January 2018 Patch Tuesday security update that removed some of the formula editor’s functionality to mitigate CVE-2017-11882.

Trustwave’s report provides detailed information about this new attack by an international oil company.

Hua Mingjun, reminder: Patch as soon as possible!

Multi-Stage Word Attack Without Macros

You may also like

CVE-2017-11882 Exploit Collection

Multi-Stage Word Attack Without Macros

Leave a Comment