Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/12/2018
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Creators of Tools for Building Malicious Office Docs Ditch Old Exploits

In their place is a collection of new exploits for more recently disclosed - and therefore not likely widely patched - vulnerabilities.

In an unusual development, the creators of tools used to mass-produce malicious Microsoft Office documents have completely scrapped a range of exploits they've been using, some for years, and replaced them with a new set of exploits.

Researchers from Sophos observed the trend developing around the beginning of this year. They say they've never seen such a complete abandonment of existing exploits — and, in a few cases, the tools that used them — over such a short time period.

The development suggests that many of the exploits developers have been using in their malicious document "builders" have been patched, so they are quickly turning to new exploits instead, says Gabor Szappanos, principal malware researcher at Sophos.

The main takeaway for enterprises is that the exploit deployment cycle has shortened significantly, he says. "A year ago, when a new Office exploit surfaced, enterprises had one to two months to deploy the security patch before large-scale infection campaigns started hitting their users," Szappanos says.

That cycle has now shortened to a couple of weeks or, in extreme cases, even just couple of days. "There is no time to hesitate when it comes to deploying security patches for Office exploits," he notes.

Exploit builders are tools that allow criminals — especially those with little technical savvy — to deliver malware of their choice on target systems with little effort. The tools automate the process of creating malicious Office document with exploit content.  

One example is ThreadKit, an $800 tool available on several Russian-language marketplaces that was used to create nearly one-third of all malicious Office documents that Sophos analyzed. ThreadKit and three other exploit builders accounted for more than 75% of all malicious Office documents that Sophos investigated in the first quarter of 2018.

"Without the builders, [criminal] groups would instead rely on more traditional methods, [such as] executable attachments, scripts, [and] VBA macros in malware delivery, rather than exploits," Szappanos says.

The authors of builders typically offer criminals a menu of exploits that they can choose from to embed in their malicious documents. Over the past two years, the exploits that have been available for embedding have remained fairly consistent. But starting in January, many of the most popular exploits available for embedding started disappearing.

One example is an exploit for CVE-2017-0199, a remote code execution vulnerability that affects the way Microsoft Office and WordPad handle specially crafted files. Another example is CVE-2012-0158, a buffer overflow flaw in an ActiveX control that criminals actively exploited for more than four years. Along with these exploits, some of the tools that implemented them — such as Microsoft Word Intruder and AKBuilder — have disappeared, as well, Sophos said in a report this week.

In their place is a collection of new exploits for more recently disclosed — and therefore not likely widely patched — vulnerabilities.

By far the most popular is an exploit for memory corruption vulnerability CVE-2017-11882 in the Equation Editor feature in Office that Microsoft disclosed last November. Criminals have embedded an exploit for the vulnerability in some 56% of the malicious Office documents that Sophos has inspected since then. "It’s popular because it is easy to use, and it works with all unpatched Office versions," Szappanos says. "Consequently, there are also a lot of builders providing it."

He says other popular new exploits currently being used in builders include those for another flaw in Equation Editor (CVE-2018-0802); a memory-handling error in Microsoft Office (CVE-2017-8570); and a .NET framework remote code execution flaw (CVE-2017-8759).

Increasingly, malicious Office documents also do not have malware embedded directly in them.  Instead, criminals are resorting to fileless approaches that invoke tools like PowerShell to download and execute the malicious payload, thereby making the documents harder to spot and stop, Sophos said.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0324
PUBLISHED: 2021-06-14
Product: AndroidVersions: Android SoCAndroid ID: A-175402462
CVE-2021-0467
PUBLISHED: 2021-06-14
In Chromecast bootROM, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege in the bootloader, with physical USB access, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: Andr...
CVE-2021-21554
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit t...
CVE-2021-21555
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, a...
CVE-2021-21556
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, ...