Microsoft Office Attack Runs Malware Without Needing Macros

Discussion in 'other security issues & news' started by itman, Oct 12, 2017 at 9:16 AM.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,147
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ne...e-attack-runs-malware-without-needing-macros/
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,096
    Location:
    Toronto, Canada
    Would applying the Child Process mitigation block this attack?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,147
    Location:
    U.S.A.
    It appears so. I assume most are by now monitoring the script engines, rundll32, command shell, etc.. startup from Word. I recently added csc.exe for the various .Net engines after I saw that was being used maliciously to compile a .Net executable on the fly.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,147
    Location:
    U.S.A.
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,147
    Location:
    U.S.A.
  6. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,790
    Location:
    Mexico
    That's why I always run Office programs in Sandboxie, in a restricted sandbox.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,147
    Location:
    U.S.A.
    It is also not just Word that has been vulnerable to DDE attacks as noted by this Flash exploit last year:

    ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks

    https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,582
    Location:
    The Netherlands
    Simply by blocking child process execution, you can stop this attack. SpyShelter also monitors DDE execution. For example, it will block VT Uploader from launching the browser via DDE.
     
Loading...