X
Tech

Hackers are using recent Microsoft Office vulnerabilities to distribute malware

Malware can steal passwords, bitcoin wallets, software keys, as well as carry out DDoS attacks and more -- and a campaign distributing it is targeting telecommunications, insurance, and financial services.
Written by Danny Palmer, Senior Writer

Video: 10 key strategies for disaster preparedness and increased IT security

Hackers are exploiting vulnerabilities in Microsoft Office software to spread a sophisticated form of malware that's capable of stealing credentials, dropping additional malware, cryptocurrency mining, and conducting distributed denial-of-service (DDoS) attacks.

The malware has been active since 2016 and, despite its powerful capabilities, it's available to purchase on underground forums for as little as $75.

Researchers at FireEye have observed a new campaign attempting to deliver the malware via spam emails to targets in the telecommunications, insurance, and financial services industries, with all of these attacks attempting to exploit recent vulnerabilities uncovered in Microsoft Office software.

The phishing emails are designed to be relevant to the selected target and include a ZIP file containing a malicious lure document, which users are encouraged to open. Once the Microsoft Office document file is accessed, the Office vulnerabilities are exploited and the PowerShell-based payload is run, infecting the victim.

One of the vulnerabilities exploited by the attackers is CVE-2017-11882. Disclosed in December, it's a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened. In the case of this campaign, the vulnerability allows an additional download to be triggered using a stored URL within the malicious attachment. The download contains the PowerShell script which drops the malware.

zyklon-lure.png

Examples of lure documents used to distribute malware.

Image: FireEye

The malware campaign also attempts to leverage CVE-2017-8759, a vulnerability which exists when Microsoft .NET Framework processes untrusted input and could allow an attacker to take control of an affected system. In this instance, the DOC file attached to the phishing emails contains an embedded OLE object which triggers the download of a stored URL to start the PowerShell process. The vulnerability was disclosed and patched in September.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

If the PowerShell script is successfully run, it injects code which downloads the final payload from the malicious command and control server, which unpacks the malware onto the target computer, alongside functions which allow the attacker to use Tor to hide their tracks. The malware also contains various plugins allowing the attackers to secretly gain access to almost every type of data stored on the machine.

Among the features the malware offers attackers are the ability to steal passwords from popular web browsers, steal passwords from FTP applications and steal passwords from email accounts.

The malware can also steal from cryptocurrency wallets and steal licence keys of more than 200 popular software applications, including Office, SQL Server, Adobe, and Nero.

In addition to being able to steal from an infected user, the attackers can also rope the infected machine into a larger network of computers to help carry DDoS attacks and also use the machines as a tool for mining cryptocurrency. The malware is advertised across a range of popular underground forums.

Now read: Cybersecurity in 2018: A roundup of predictions

"Threat actors incorporating recently discovered vulnerabilities in popular software - Microsoft Office, in this case - only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated," said FireEye researchers Swapnil Patil and Yogesh Londhe in the blogpost about the malware.

Users should ensure they've downloaded all the patches published to protect against CVE-2017-11882 and CVE-2017-8759.

"Security updates were released last year and customers that have applied them, or have automatic updates enabled are protected," a Microsoft spokesperson told ZDNet.

Recent and related coverage

CoreBot banking trojan malware returns after two-year break

Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.

These fake tax documents spread jRAT malware

Data hungry malware tries to hook you with bogus forms and fake PDFs.

Google Apps Script vulnerability could have opened the door for malware

No user interaction required - and the exploit could've been used to distribute any form of malware.

READ MORE ON CYBERCRIME

Editorial standards