Tag Archives: office

Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs

cobalt-strike-malware-attack

A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware.

First spotted by researchers at security firm Fortinet, the malware has been dubbed Cobalt because it uses a component from a powerful and legitimate penetration testing tool, called Cobalt Strike.

Cobalt Strike is a form of software developed for Red Team Operations and Adversary Simulations for accessing covert channels of a system.

The vulnerability (CVE-2017-11882) that Cobalt malware utilizes to deliver the backdoor is a memory-corruption issue that allows unauthenticated, remote attackers to execute malicious code on the targeted system when opened a malicious file and potentially take full control over it.

This vulnerability impacts all versions of Microsoft Office and Windows operating system, though Microsoft has already released a patch update to address the issue. You can read more details and impact of the vulnerability in our previous article.

cobalt-strike-malware

Since cybercriminals are quite quick in taking advantage of newly disclosed vulnerabilities, the threat actors started delivering Cobalt malware using the CVE-2017-11882 exploit via spam just a few days after its disclosure.

According to Fortinet researchers, the Cobalt malware is delivered through spam emails, which disguised as a notification from Visa regarding rule changes in Russia, with an attachment that includes a malicious RTF document, as shown.

The email also contains a password-protected archive with login credentials provided in the email to unlock it in order to trick victims into believing that the email came from the legitimate financial service.

“This is [also] to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection,” Fortinet researchers Jasper Manual and Joie Salvio wrote.

“Since a copy of the malicious document is out in the open… so it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.”

Once the document is opened, the user has displayed a plain document with the words “Enable Editing.” However, a PowerShell script silently executes in the background, which eventually downloads a Cobalt Strike client to take control of the victim’s machine.

With control of the victim’s system, hackers can “initiate lateral movement procedures in the network by executing a wide array of commands,” the researchers said.

According to the researchers, cybercriminals are always in look for such vulnerabilities to exploit them for their malware campaigns, and due to ignoring software updates, a significant number of users out there left their systems unpatched, making them vulnerable to such attacks.

The best way to protect your computer against the Cobalt malware attack is to download the patch for the CVE-2017-11882 vulnerability and update your systems immediately.

Malicious Office macros are not dead

You could think that malicious Office macros are a thing of the past. They are not a major threat anymore, but they still represent a potential risk for unsuspecting users.

Since Microsoft Office enabled documents to embed macros that can even do complex actions such as dropping malicious executables, malicious office macros were used in the malware landscape.

When Office XP was released in 2001, it disabled macros by default: as a consequence, malicious macros were not so efficient to infect users, so their use in the malware landscape rapidly declined afterwards.

German warning: Macros have been disabled - Enable ContentHowever, it doesn’t mean that the threat is not present anymore, especially in corporate environments where users may leave them activated by default.

And the document can try social engineering to convince you to re-enable them.

a malicious Office document trying to convince the user to enable macros.


The file also contains something weird:

a suspicious highlighting on invisible textIf you scroll down, you notice something unusual:
that invisible but underlined text is actually a malware file (4D 5A is the signature of a Portable Executable file), encoded in the document, but in white font on white background.

hidden_executableThis is what it looks like if the text is back in normal color.

On execution, the macros remove this hidden text, to remove traces of maliciousness.

So, be careful: don’t enable macros by default, and don’t enable them for unusual documents.


Analyzing malicious office macros out of a document

Until Office 2007, Microsoft used the OLE Compound File Binary Format. Here is an accurate summary of the format:

"nigthmare", in blood lettersbecause it’s actually a complete filesystem, with multiple FAT formats, sectors, streams, defragmentation…

So for your sanity, we’ll avoid the details here as much as we can…

Starting with Office 2007, the default format was the “XMLs in a ZIP” Office Open XML.

But to store macros, even Office Open XML still uses the OLE format: they are located in the vbaProject.bin file inside the ZIP archive.

macros are located in ZIP/word/vbaProject.binSo in any case, we need to deal with the OLE format to extract macros: either the whole document (< Office 2007), either the vbaProject.bin file (later versions),


Just for your information, this is what such a OLE file looks like from a high level perspective.

high-level structure of an office file(don’t show that to your kids, they might look away from computers for ever)

If you still want to know more about the OLE format, you may want to watch Bruce Dang’s presentation on the topic.


 

So first, extract the vbaProject.bin file from the ZIP. Then, ask OfficeParser to extract the macros: luckily, it does all the magic for us.

Extracting macros from an office documentit displays an error, but the file NewMacros is still correctly extracted.

And then, you can clearly tell immediately the intent of the file… it’s pretty obvious (and actually, quite disappointing)…

stupid variable names in the macrosObvious variable names

anti-emulation code in the macroCommented “anti-emulation”

over-using the same anti-emulationThey are so proud of it that they re-used it multiple times…

Ok, let’s stop here. You already get the idea about the intents of this file, and now you know a simple method to analyze malicious Office macros yourself.

Sadly, not much to learn from this threat: excepted that it’s a good thing to practice on a ‘forgotten’ file type, that could still be used today to infect users.

Related tools:

  • OfficeMalScanner: doesn’t parse OLE file, but tries to extract embedded shellcodes and binaries.
  • OleFileIO_PL: a more advanced parsing library than OfficeParser, but with no direct macros extraction ability.

The post Malicious Office macros are not dead appeared first on Avira Blog.

Read More