Attackers Use Undocumented Word Feature to Fingerprint Victims’ Software

Attackers are taking advantage of an undocumented feature in Microsoft Word to gather information about potential victims by using seemingly harmless documents that have no active code embedded in them.

The technique was discovered by researchers from Kaspersky Lab in OLE2-formatted documents distributed as attachments to spearphishing emails. The files abused a feature called INCLUDEPICTURE that allows a picture to be attached to certain characters in the text.

AppSec/API Security 2022

Attackers have figured out how to include a URL in the INCLUDEPICTURE field and trick Microsoft Word to access it when the document is opened. The URL pointed to a PHP script on a remote server controlled by attackers.

“The document contains no active content, no VBA macros, embedded Flash objects or PE files,” the Kaspersky Lab researchers said in a blog post. However, when users open the document, Word sends a GET request to one of the internal links and that request contains information about the software installed on their machines, including the version of Microsoft Office they use, the researchers said.

Such information can be very valuable to hackers in the planning of a targeted attack. It provides them with the information needed to choose a software program to attack and how to deliver the exploit.

The abused feature is not only present in Microsoft Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android, the Kaspersky researchers said. LibreOffice and OpenOffice do not have it.

CCleaner Compromise Shows Risks of Supply-Chain Attacks to Businesses

A backdoored installer for the popular system optimization tool CCleaner was distributed to more than 2 million users over the past month. The incident is the latest in a string of supply-chain attacks that were reported this year and resulted in malware-infected applications being delivered to users directly from their developers’ servers.

According to researchers from Cisco Systems’ Talos division, the malicious code was added to the CCleaner installer before the package was compiled and digitally signed. This suggests that hackers managed to gain access to the program developer’s infrastructure.

The compromised installers were for CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191, which were released on Aug. 15 and Aug. 24, respectively. Only the 32-bit versions of the installers were affected.

CCleaner is developed by a company called Piriform that was acquired by antivirus firm Avast in July. The program has been downloaded more than 2 billion times since its launch in 2003 and regularly exceeds 20 million downloads per month.

Piriform released clean versions of CCleaner and CCleaner Cloud Sept. 12 and said that until the investigation is finished it doesn’t “want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it.”

The incident highlights the serious risks that supply-chain attacks can pose to companies. It’s worth noting that CCleaner Cloud is a business product and Piriform notes on its website that the program is “trusted by” Princeton University, City of Vancouver, Airbus, HBO, Siemens, Intel, Oracle, DHL and other well-known companies.”

Furthermore, another security firm called Morphisec claims that it was the first to spot the infected installers and notify Avast after its technology detected the backdoor “at customer sites” Aug. 20 and 21. Morphisec is an enterprise endpoint security vendor so its customers are businesses and large organizations, not consumers.

“Supply-chain attacks can be a very powerful way to get onto high-profile companies’ IT networks in a roundabout way,” said Carsten Eiram, the chief research officer at Risk Based Security. “Since the software comes from a legitimate vendor that is trusted by these companies, the software is rarely subjected to the same scrutiny as would be the case for other types of attacks.”

There is evidence that attackers are increasingly using this technique. Last month, Kaspersky Lab documented an attack it dubbed ShadowPad where hackers managed to insert a backdoor into a legitimate update for an enterprise server administration tool developed by a company called NetSarang Computer. In June, the destructive NotPetya SMB worm that caused major disruptions at large companies around the world started with an infected update for an accounting program called M.E.Doc.

In May, Microsoft warned about Operation WilySupply, an attack that targeted high-profile technology and financial organizations with malware delivered through the compromised update mechanism for an editing tool.

Aside from understanding the security of the software, devices and libraries they use on their networks, companies need to understand the security posture of the vendors that provide those tools, Eiram said. “A given vendor may make a great effort to write secure code with few vulnerabilities and of a high code maturity, but if it doesn’t make an equal effort to secure its IT infrastructure, its products may be the way for attackers to get onto its customers’ networks.”

Lucian Constantin

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Attackers Use Undocumented Word Feature to Fingerprint Victims’ Software

Comments are closed.