Content, Breach

Trustwave SpiderLabs: Macro-less Malware Targets Microsoft Office, Word

Homer Pacag
Homer Pacag

Managed security service provider Trustwave’s SpiderLabs has detected a new malware tactic that relies on users opening Microsoft Word documents but doesn’t use social engineering to enable macro scripts typically deployed. The new macro-free malware is out there and active, SpiderLabs researchers said in a blog post.

“Malware authors often distribute malware through code macros in Microsoft Office documents such as Word, Excel, or PowerPoint,” said Homer Pacag, a Trustwave malware analyst and tools developer. Typically, macros are executed when a user opens the file. Despite malware warnings from Office apps, the user may still elect to unknowingly open the infected file.

But this is something quite apart. “The sample we look at today takes a longer, macro-less approach,” said Pacag. An email spam campaign SpiderLabs has been monitoring downloads a password stealer as its final payload in a four-stage infection process that begins once the user has opened the attachment, he said.

Here’s what actually happens: The exploitation relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell. (via BleepingComputer)

  • A victim receives a spam email with a DOCX file attachment.
  • Victim downloads and opens the DOCX file.
  • DOCX file contains an embedded OLE object.
  • OLE object downloads and opens an RTF (disguised as a DOC) file.
  • DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
  • Exploit code runs an MSHTA command line.
  • MSHTA command line downloads and runs an HTA file.
  • HTA file contains a VBScript that unpacks a PowerShell script.
  • PowerShell script downloads and installs the password stealer.
  • Malware steals passwords from browsers, email and FTP clients.
  • Malware uploads data to a remote server.

The malware approach isn't typical, Trustwave says.

“It's pretty unusual to find so many stages and vectors being used to download malware,” wrote Pacag. “Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process,” he said. Pacag pointed out that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways contrary to the “more obvious” scripting languages such as VBS, JScript or WSF.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.