A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.
Researchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.
The company, which released details of the method Monday, said that attacks are adept at evading security solutions such as sandboxes and AV solutions, which fail when there is no malicious content or rogue links in a document to detect.
“The absence of active code or shellcode in the first stage malicious document, which was sent as an email attachment, is noteworthy because this attack relies on a remotely-hosted malicious object,” said Vinay Pidathala, director of security research at Menlo Security.
Researchers said attackers are exploiting “design flaws” in the document formats .docx and RTF, in combination with abusing unpatched instances of a remote code execution vulnerability CVE-2017-8570 – patched in July 2017.
The first stage of the attack is the most significant and unique aspect of the malware infection chain, according to researchers. It involves a spam email and an attached .docx file. The Word document utilizes Framesets. “Framesets are HTML tags and contain frames responsible for loading documents,” described the researcher.
When the document is simply viewed in Microsoft Office “Edit” mode (and not the default “Protected” mode), an embedded frame points to a TinyURL defined in the document’s webSettings.xml.rels file. A “.rels” file contains information about how different parts of a Microsoft Office document fit together, according to a description on File.org.
“If a victim opens the malicious first stage document, Microsoft Word makes an HTTP request to download the object pointed to by the URL and renders it within the document,” according to Menlo Security.
In the case of the rogue document, the TinyURL points to command-and-control (C2) server domains located in France and the United States that download a malicious RTF file.
According to Pidathala, it is this first stage of the attack that is unique. The rest of the attack, he said, is fairly common and one currently used in a number of recent attacks by cybercriminals behind the Cobalt group to deliver FormBook and other types of malware.
“A design behavior occurs in RTF documents, when an RTF document with an embedded Package object is opened, the embedded object is automatically dropped to the %TEMP% directory of Windows. This technique was also used by the threat actors behind the Cobalt group that used CVE-2017-11882,” wrote researchers noting a recent spike in attacks using the CVE.
The vulnerability CVE-2017-11882 is the remote code execution bug patched last November located in an Office executable called Microsoft Equation Editor. But instead of taking advantage of that vulnerability, the most recent attacks identified by Menlo Security take advantage of the vulnerability CVE-2017-8570.
The vulnerability CVE-2017-8570 is a remote code execution vulnerability in Microsoft Office tied to the way the software suite handles objects in memory.
“For the attack to succeed, this executable still needs to be executed. And, that’s where the CVE-2017-8570 comes into play. CVE-2017-8570 executes the dropped object in the %TEMP% directory,” researchers said.
Menlo Security observed an embedded .sct (scriptlet) file dropped to the %TEMP% directory. “When the .sct file is executed, the large amount of data is written to the %TEMP% directory with the name chris101.exe. Wscript.Shell.Run() method is then called with the path to the .exe to start the malicious executable,” they said.
Next, the malicious executable calls to the adversaries’ C2 and downloads a third-stage downloader that drops the FormBook malware onto the targeted system.
FormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.
Pidathala said he believes this attack technique exposes a larger attack surface. “There will be an uptick in malicious objects, where the malicious components are remotely hosted,” he said.