New Document Attack Exploits Design Behavior Rather than Macros

Malicious Microsoft Word documents sent via email are a hacker favorite when it comes to infecting computers, but researchers have recently observed an attack campaign that uses first-stage docs without any active malicious code.

Instead of using macros or other embedded shellcode that might get blocked by Word’s security settings and which would require tricking users to execute, the attackers behind the recent campaign decided to take advantage of some design behaviors in .doc and .rtf files.

“The first stage of the attack is a malicious .docx file that is sent as an email attachment,” researchers from Menlo Security said in a report. “The malicious .docx file does not contain macros and does not leverage any exploits. Inside the .docx file, embedded in the frame section, is a URL. Framesets are HTML tags and contain frames responsible for loading documents.”

In other words, the document only contains an URL, which is not suspicious or unusual behavior and is unlikely to be blocked by security solutions. Meanwhile, files with macros or other types of scripting are likely to be heavily scrutinized.

When the rogue document is opened, Microsoft Word will automatically make a request to the URL to load the remote content into a frame. In this case, that content is an RTF file with an embedded Package object.

Due to a design behavior of RTF documents, Package objects are dropped inside the Windows temporary directory. This particular document drops a .sct (scriptlet) file, which, when executed, writes and loads an .exe file.

To achieve this execution, attackers attempt to leverage the CVE-2017-8570 vulnerability, which was patched in Office last July. Without this vulnerability, the attack chain is not complete, highlighting the importance of keeping Office up to date as well as Windows.

However, if the attack is successful, the third-stage component downloads and installs a malware program known as Formbook that exfiltrates data, takes screenshots and logs keystrokes. This malware has been associated in the past with cyberespionage attacks against organizations from various industries, including aerospace and defense.

Serious Flaws Endanger Protection Relays Used in Power Stations

Siemens has fixed high-risk vulnerabilities in its SIPROTEC 4, SIPROTEC Compact and Reyrolle protection relays that are used in electrical substations and other industrial installations.

The flaws affect relays that use the EN100 Ethernet communication module or the DIGSI 4 engineering software and were found by researchers from Positive Technologies. SIPROTEC 4 and SIPROTEC Compact devices provide a wide range of integrated protection, control, measurement and automation functions.

“By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment,” the Positive Technologies researchers said.

According to advisories released by ICS-CERT (ICSA-18-067-01 and ICSA-18-067-02), the flaws can be exploited remotely by attackers with a low skill level, which makes them even more dangerous.

The most serious vulnerability is tracked as CVE-2018-4840 and has a CVSS score of 7.5. It allows a remote attacker to upload modified device configurations and to overwrite access authorization passwords.

Another flaw, CVE-2018-4838, also rated with CVSS 7.5, allows attackers to downgrade the firmware of affected devices to versions that are affected by known vulnerabilities Siemens already patched.

The third vulnerability, CVE-2018-4839, only has a CVSS score of 4.0 but allows attackers with local access to the engineering system or who have a privileged network position to capture traffic and reconstruct access passwords.

The owners of affected devices are advised to upgrade to the new firmware versions released by Siemens or to implement the mitigations described by the company in its security advisories (SSA-203306 and SSA-845879).

Over the past year, security firms have reported that multiple groups of sophisticated attackers, possibly state-sponsored, are targeting companies from the power sector that operate the electrical grid. Their likely goal is to cause disruptions.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin