Critical Office Zero-Day Attacks Detected in the Wild

By on

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.

This blog post serves as a heads-up for our customers and all Office users to protect against this zero-day attack.

The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

The .hta content is disguised as a normal RTF file to evade security products, but we can find the malicious Visual Basic scripts in a later part of the file:

 

 

 

 

 

 

The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.

The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)

We strongly suggest Office users take the following actions to protect or mitigate against this zero-day attack before Microsoft issues an official patch. We notified the Microsoft Security Response Center as soon as we found the suspicious samples, and we will continue to work with them to protect Office users.

  •  Do not open any Office files obtained from untrusted locations.
  •  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

We will continue to update our findings on this ongoing investigation.

 

Special thanks to Bing Sun, Chong Xu, Christiaan Beek, and Abhishek Karnik (and his team) for their help with this investigation.

Similar articles

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these "can't-miss deals," how do you ...
Read Blog
If you're an avid gamer or know someone who is, you might be familiar with the retro gaming site Emuparadise. This website boasts a large community, a vast collection of gaming music, game-related videos, game guides, magazines, comics, video game translations, and more. Unfortunately, news just broke that Emuparadise recently suffered a data breach in ...
Read Blog
For as long as you’ve had a phone, you’ve probably experienced in one form or another a robocall. These days it seems like they are only becoming more prevalent too. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. While these scams vary by country, the ...
Read Blog