Attackers using a Word zero-day to spread malware

Attackers are using a previously undisclosed security hole in Microsoft Word to install a variety of malware on victims’ computers. Microsoft knows about the zero-day and is expected to patch it later today. As we await that security update, here’s a review of the bug and the available defenses.

In its investigation, SophosLabs determined that exploits against this vulnerability have been happening for some time. SophosLabs principal researcher Gábor Szappanos said:

This vulnerability has been used for months in targeted attacks. Most of the activity went on in March-April 2017, but the first sample we could locate dates back to November 2016.

What we know so far

The vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort. 

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

Naked Security’s Paul Ducklin reviewed SophosLab’s findings and said of the attack technique:

It’s a bit like wearing overalls to get into a fancy dinner party venue by blagging your way in the front door as the plumber come to do a quick check for a possible leak in the Gents. Once inside, you strip off to the dinner jacket you’re wearing under the overalls, so you now pass muster as a dinner guest, with everyone assuming you showed your invitation at the door already. Dressed up properly in the DJ wouldn’t have got you in through the lobby at the start, because of no invitation, and the overalls wouldn’t have got you into the dining room, because of violating the dress code. So you wear the right clothes at the right moment and subvert both places where you would otherwise get spotted.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.

Additional defensive measures

As mentioned, Microsoft will release a patch for the vulnerability. Meantime, Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

Additional advice, for this threat and many others, include the following:

  • If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
  •  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
  • Watch for Microsoft’s patch, and – once it’s released – install immediately.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.