CVE-2017-11882 serving RAT and encrypted phishing campaign

Introduction Malicious documents remain one of the most popular vectors for cybercriminals to deliver malware payloads on a user's system. While we continue to see many types of VBA macro-based malware, there has been an increasing trend in malicious documents using the DDE protocol for delivering malware executables, which we wrote about last month. Microsoft released a security update last week that should significantly reduce the number of DDE-based attacks: "Microsoft has released an update for Microsoft Office that provides enhanced security as a defense-in-depth measure. The update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word." - Microsoft Security Advisory Zscaler ThreatLabZ has been tracking a new vector involving malicious RTF document files weaponized with the recently disclosed Microsoft memory corruption vulnerability, CVE-2017-11882. In this blog, we will review a recent campaign leveraging this exploit and also share insights on encrypted phishing campaigns. Infection cycle In our research into this new exploit, we encountered spam phishing emails containing a malicious document attachment that leads to a Remote Access Trojan (RAT) and an encrypted phishing page. The complete workflow of this campaign is shown below: Fig 1: Workflow The malware is received by the victim in a phishing email with a password-protected archive as the attachment. An example of one...
Read more

Microsoft DDE protocol based malware attacks

Introduction Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no one's surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents. In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs), ransomware, and backdoors. In this blog, we will share a detailed technical analysis of a few of these exploitations and their payloads.   Background The Microsoft Dynamic Data Exchange (DDE) protocol allows data to be transferred between applications. These applications can use DDE for one-time data transfers or for continuous exchanges; for example, a Microsoft Word document that uses data from an Excel spreadsheet is updated automatically through DDE as the spreadsheet data is updated. The DDE protocol sends messages between applications that share data and uses shared memory to exchange data between the applications.  Microsoft Word documents have been used before to spread malware, but in those cases the victim would have to manually enable macros for the payload to be downloaded onto the victim’s system. With the DDE vulnerability...
Read more