FireEye recently detected malicious Microsoft Office RTF documents
that leverage a previously undisclosed vulnerability. This
vulnerability allows a malicious actor to execute a Visual Basic
script when the user opens a document containing an embedded exploit.
FireEye has observed several Office documents exploiting the
vulnerability that download and execute malware payloads from
different well-known malware families.
FireEye shared the details of the vulnerability with Microsoft and
has been coordinating for several weeks public disclosure timed with
the release of a patch by Microsoft to address the vulnerability.
After recent public disclosure by another company, this blog serves to
acknowledge FireEye’s awareness and coverage of these attacks.
FireEye email and network products detect the malicious documents
The attack involves a threat actor emailing a Microsoft Word
document to a targeted user with an embedded OLE2link object. When the
user opens the document, winword.exe issues a HTTP request to a remote
server to retrieve a malicious .hta file, which appears as a fake RTF
file. The Microsoft HTA application loads and executes the malicious
script. In both observed documents the malicious script terminated the
winword.exe process, downloaded additional payload(s), and loaded a
decoy document for the user to see. The original winword.exe process
is terminated in order to hide a user prompt generated by the OLE2link.
The vulnerability is bypassing most mitigations; however, as noted
above, FireEye email and network products detect the malicious
documents. Microsoft Office users are recommended to apply the patch
as soon as it is available.
FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and
Microsoft Security Response Center (MSRC).
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog