Attacks based on Office files have increased rapidly in the past few months. They seem to be far less harmless than ZIP or even EXE files in your mailbox, but when combined with a meaningfully worded email, users are too easily tempted to open the infected files. Although macros generally still need to be enabled, the Microsoft Word Intruder (MWI) attack uses unresolved vulnerabilities. Just opening the file compromises the computer.
The spread of malware or crimeware has not slowed down – on the contrary. Back in the early 1990s, the first tools that greatly facilitated the process of creating malicious code were released, opening this vector to beginners. Examples of this include the Virus Creation Laboratory (VCL) or the Phalcon-Skism Mass Produced Code Generator (PS-MPC), both still under MS-DOS. Nothing has changed here – just like then, new tools and kits are still published at regular intervals. The biggest difference compared with the 1990s is that now the kits are used for one main reason: to make money. There's a huge market in this area, and malware – or complete construction kits – are now delivered to order.
Consider, for example, the MWI exploit and crimeware kit. The "Malware Creation Kit" developed in Russia gives users the ability to manipulate Word documents so that just opening them is sufficient to infect a Windows system with malicious code. In the past, the following well-known vulnerabilities were exploited for this purpose: CVE-2012-0158, CVE-2013-3906, CVE-2014-1761 (Figure 1). Today, however, an exploit that Microsoft actually closed in April 2015 (CVE-2015-1641) that targets a vulnerability in Microsoft Office is increasingly being used.
The two types of malware that can be created by the kit are droppers and downloaders. A dropper is an autonomously executable program file that usually contains the entire payload. In contrast, the downloader first typically downloads the code completely or partially from infected and previously prepared servers. According to Sophos, the ratio between dropper and downloader variants in the wild is 59 percent (droppers) to 41 percent (downloaders). The manner of distribution or the infection vector used is not new, on the contrary. The potential victims are still sent the malicious code in spam mail, typically in the form of email attachments such as bills, dunning letters, or order confirmations. Cybercriminals use these attachments to transport malicious code to potentially vulnerable systems.
In the past, attackers used this method to successfully distribute well-known malicious code such as the banking trojan Zeus or the Cryptowall ransomware code. The latter encrypts the victim's hard disk and asks the victim to pay a ransom. This type of malware is then used to obtain confidential data such as the victim's credit card data and once again make money.
From Espionage Tools to a Public Commodity
In 2015, experts observed an alarming trend: In the past, these tools were initially used for secret service attacks; now, however, they are increasingly being used by cybercriminals. In the "Microsoft Word Intruder Revealed" white paper published by Sophos , the antivirus manufacturer highlights some interesting aspects, including the basic operating principle of MWI.
In this attack, the manipulated document starts with a "start marker" and the encrypted payload. As described previously, two types of payload are used: droppers or downloaders. The next component involves the appropriate exploit blocks. These are successively checked for effectiveness by a separate routine. If the target system is vulnerable to one of the exploits, corresponding shell code is run. Each exploit comes with its own shell code that performs the next part of the attack. Usually these documents contain up to four exploits, which naturally increases the prospect of a successful attack.
MWI works in an unconventional way. Usually, such documents are built the other way round: The exploit usually comes first and is complemented by the encrypted payload at the end. This is mostly attributable to ease of manual editability. With MWI, however, the documents start with the payload, followed by various exploits. With a toolkit that is automated for the most part like MWI, manual editing plays a negligible role.
Droppers, Downloaders, and Payload
The decrypted dropper mostly consists of two components: the executable code of the shell and a memory block that contains the final malware. Put simply, the dropper's shell code ensures that the malware is copied to the hard disk. Following this, the shell code is executed. The malware is typically found on Windows systems below the following path and filenames:
%LOCAL SETTINGS% \ ntxobj.exe or
%LOCAL SETTINGS% \ Temporary Internet Files \ Content.Word \ ~WRX- 4014.tmp. The dropped file is run via the Windows "CreateProcessA" function or the Windows Management Interface (WMI) COM interface. Executing via WMI is unusual and suggests that this is only designed to work around antivirus programs that do not monitor such WMI activities.
The decrypted downloader works almost identically, except that it loads the malicious code via the "URLDownloadToFileA" function. The corresponding URL already exists in the shell code by default and is customizable in any malicious code construction kit. The directories and file names are also identical and in the same order as for the dropper. MWI also offers users the option of accessing an additional module called MWISTAT. This module enables communication to a command and control server that can track the distribution and spreading of malware. Server-side, this is implemented by a number of PHP scripts, but the infected target system tries to send the collected data to the server using an HTTP request.
The malicious functions in MWI contain numerous prominent malware variants according to the results published by Sophos. Including:
All of this suggests that MWI is deployed by many cybercriminals as an "exploits-as-you-need-them" malware creation service.
Multilayered Protection Against Infection
If you want to protect yourself against infection by MWI documents, your best bet is to update your Microsoft Office regularly – preferably automatically and promptly – and to take the usual preventive measures such as the use of an up-to-date malware scanner. Alternatively, the use of other, less popular office packages is recommended. One example is LibreOffice, which is available free of charge. Attackers generally prefer widespread products to increase the likelihood of successful attacks.
Additionally, measures such as complete patch management (including third-party applications) should be established. You can simplify this process by getting rid of any non-essential programs. This approach also reduces the attack surface. Also, working with restricted user rights should be considered standard. Working with full administrative privileges every day increases the vulnerability of any system and should be avoided. It is equally important for the user to have a healthy amount of caution and mistrust. All employees should be trained at regular intervals to identify the latest threats and new attack vectors.
The MWI attacks show how dangerous even harmless-looking office files can be. Although most of them rely on macros, which must be enabled by the user, to infect the target, simply opening the file is all it takes for this type of attack. Even the best technical security measures can only provide limited protection. Awareness on the part of individual users is crucial. Whenever possible, users should validate the sender, subject, and plausibility, before opening any email messages or attachments they receive.