The diagram below summarizes the different steps that this attack takes, from the original document all the way to the malware payload. Instead, the benign document acted as a kind of Trojan horse that made its way to the end user’s desktop, where it would finally show its real intent. While attackers could have sent the exploit-laced document first, that might have triggered detection and quarantine at the email gateway. Victims will be none-the-wiser as the infection process happens in the background, while their Word document finally loads what looks like legitimate content. The several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for nefarious purposes. In this case, the unsuspecting user opening the decoy Word document will trigger an automatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-8759), which ends up distributing the final malware payload. Most malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically delivered via email. This then loads another document that contains an exploit. In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format.
0 Comments
Leave a Reply. |