Malicious Word File Auto Downloads Additional Malware

Malicious Word File Auto Downloads Additional Malware

Cyber criminals have now resorted to a new attack vector – auto downloading malware. If a victim is tricked into downloading a malicious Word file, this file in turn automatically downloads another malicious file of a different format. Successful downloads lead to a remote access Trojan (RAT) infection.

The Exploit

A unique feature of this malware is that it exploits a built-in feature in MSWord. Whenever a Word file is opened, this feature automatically updates any links contained in the file. The first file contains an embedded link that downloads the RAT. This vulnerability is known as CVE 2017-0199 and the RTF file exploits this weakness.

The RTF now downloads a payload in JavaScript, which leads to the creation of a shell object that in turn initiates a PowerShell command to download the Netwire RAT file. The dangerous feature of this vulnerability is that the link in the MSWord file gets updated without any sort of alert or warning to the user. By default, MS Word displays a warning: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”

This exploit has somehow been able to suppress display of that warning as well as the user response required for the warning.

CVE 2017-0199 exploited in PPSX file

A group of cyber security researchers has observed that the same pattern of exploits had been undertaken with a PPSX file instead of the MSWord file. The attack map was initiated by sending emails with a malicious PowerPoint Open XML Slide Show attachment. The malicious link is contained within this PPSX file. This link does require user interaction and automatic downloading does not take place. However, the user does not have to click on the link; just hovering over the link is more than sufficient for the link to trigger and initiate the download of the RAT.

Cyber criminals will keep finding out new attack vectors to thwart defenses. In the attacks explained above, the threat actors had not exploited any vulnerabilities in macros and had not used any macros; They had exploited the mouse over facility to trigger the link to download the malware.

Attack vectors will evolve. It will be up to IT security administrators to secure their enterprise network and data with a robust cloud-based endpoint security solution to stay protected from cutting-edge attacks.

Also, Read

Zyklon Malware Campaign Targets Microsoft Office Users


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password