Attacks Detected with New Microsoft Office Zero-Day

https://www.bleepingcomputer.com/news/security/attacks-detected-with-new-microsoft-office-zero-day/

 

I will also add that you should be monitoring mshta.exe startup in System32 and SysWOW64 directories using a HIPS or anti-exec. This would have detected the malware payload .hta download execution attempt.

Also .hta downloads are a great way to defeat browser sandboxing. You can read about that here: http://www.kunal-chowdhury.com/2010/09/how-to-execute-local-file-using-html.html#WgFCCgrqLzcrzoEm.97

-EDIT- Also .hta based malware is an effective AppLocker bypass https://dfir-blog.com/2016/01/03/protecting-windows-networks-applocker/

 

one common point to all those reports? stupid users happy clicking...

personally done in Appguard long time ago alongside most of the vulnerable processes of Windows.

 

Not in this case as noted previously:

 

"If the victim uses Office Protected View when opening files, the exploit is disabled and won't execute."

So the user still has to do something "stupid" (disable Office Protected View), as almost all the cases.

 

Yes. If e-mail .doc is received via Internet delivery, it will open in protected view.

However it the .doc is received via e-mail server, protected view is N/A as I recollect. I have been retired a few years and work memory is a bit foggy.

 

Hacker News has a bit more detail. Nasty stuff indeed. You wouldn't have a clue you were nailed:

http://thehackernews.com/2017/04/microsoft-word-zero-day.html

 

And so you don't think Appguard or Voodooshield could handle this?

 

Depends how they handle this:

https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

 

I believe the vulnerability is that the .hta file can be run within winword.exe w/o triggering an alert or forcing a stand alone execution of mshta.exe. For example, IE11 and/or Edge will not allow direct execution of a .hta file. It has to run outside of the browser using mshta.exe.

 

Indeed and even with other anti-exe/SRPs, just add mshta.exe to the blacklist and you are good.

 

If for some reason a .doc file needs to run outside of protected mode for example for editing, the best protection against this vulnerability would be to block/monitor all inbound and outbound traffic from winword.exe with a firewall rule until MS issues a patch for this. Who knows when that will be since the exploit has been known for months.

-EDIT-
I missed the following from the FireEye article. It is using mshta.exe to execute the .hta file. So I would assume that a HIPS/anti-exec monitoring its startup would generate an alert. We will only know for sure if a malware sample can be obtained.

https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html

 

Also CERT has finally posted a CVE on this here: https://www.wilderssecurity.com/thr...contains-an-unspecified-vulnerability.393257/

As noted in the write up, RTF file execution from winword.exe can be blocked via registry modification.

 

Does anyone have the complete kill-chain?

Is it
Windword.exe -> mshta.exe -> Wscript.exe/powershell.exe
or
winword.exe -> wscript.exe/powershell.exe -> mshta.exe

 

mshta.exe comes before Wscript.exe/powershell.exe:

 

"Microsoft patches serious Word bug"

" ...'We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically,' said a Microsoft spokesman..."

http://www.bbc.com/news/technology-39563965

 

Great news and for quick patch release.

 

Don't believe this patch is related to the 0-day exploit that is the topic of this thread but rather the one being use by Dridex referenced here: https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return . I will have to see the specific patch details from Microsoft to be 100% sure.

The Dridex attack used a RTF file but I see no reference to .hta use in the Proofpoint article.

FYI: https://www.proofpoint.com/us/threa...lions-recipients-unpatched-microsoft-zero-day

 

This fix relates to an exploit of Word's Object Linking and Embedding technology as in the OP.

"Oh my Microsoft Word: Dridex hackers exploit unpatched flaw

Banking trojan-proofing will take place later today...

FireEye researchers who discovered a bug in Word's Object Linking and Embedding technology were working with Microsoft, but were pre-empted by a disclosure from McAfee, as previously reported..."

https://www.theregister.co.uk/2017/04/11/dridex_cybercrooks_abuse_word_exploit/

The Mcafee/Fireye overlap is also similar to the scenario of the OP.

 

It is also looking more and more that the vulnerability is in use of RTF files and that the previous .hta use reported by McAfee and FireEye was only one way it could be exploited.

So the CERT advice about disabling RTF use is the way to go. Besides the registry mod, you can for example force RTF files to open in protected mode using Word Microsoft Trust settings.

 

http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html

 

This new Sophos Blog post seems to indicate that the Microsoft Patch to be released today addresses the exploit that is the subject of The OP.

What's your opinion itman ?

"Attackers using a Word zero-day to spread malware

Attackers are using a previously undisclosed security hole in Microsoft Word to install a variety of malware on victims’ computers. Microsoft knows about the zero-day and is expected to patch it later today...

As mentioned, Microsoft will release a patch for the vulnerability. Meantime, Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU..."

https://nakedsecurity.sophos.com/20...Feed: nakedsecurity (Naked Security - Sophos)