Latest Favorite Platform for Zero-Day Exploits: Microsoft Office

Cybercriminals turn to Microsoft Office documents for conducting their zero-day exploits, using office files to execute remotely hosted malware.

Cyberattacks are being launched using the most common tool of office work i.e. Emails. Microsoft Office documents  are usually attached to a number of emails for file transfer and data sharing. Targeting this mode of communication,  hackers use email attachments to perform remote code execution on systems. These remotely hosted malicious  components are easily transferred to a system via emails.

Almost all zero-day exploits from late 2017 and early 2018 have used office documents like Word files and Excel sheets. These documents aren’t suspected by common people and their malicious components are hard to detect.

Evolution in Techniques

MS Office has begun to have quite a linkage with cybercrimes. Researchers reveal that e-mail phishing has evolved and matured with time. Attackers have found new modes of exploiting office documents. Instead of attaching files with embedded malicious macros, they use the office files to grab remotely hosted malicious components, which launch exploits in the browser. Getting the users to ‘enable macros’ has been a common trend in the past. But with evolution of advanced security measures and an emerging tech-savvy audience, this trend has seen a decline, producing little results in favor of the attacker. Owing to the constant battle of attack and defense, advanced strategies are evolving at both ends to exploit the endpoint and to save it.

Down the memory lane; trouble begins with CVE-2017-0199

Word documents have never been immune to vulnerabilities. One of these loopholes, CVE-2017-0199, the MS Office/WordPad remote code execution vulnerability makes use of a logic flaw in MS Word. It popped up in 2016 when  an attack was launched using word files as carriers. Something embedded in the files was able to fetch remote  malware from the web.

The Object Linking and Embedding (OLE) Technology

The Object Linking and Embedding (OLE) technology is used to deliver malware to a system through which attackers  can execute codes on the compromised system.

The trend of remotely hosted cyberthreats has grown ever since this vulnerability was exploited. The recent “CVE-2018- 8174 Windows VBScript Engine Remote Code Execution Vulnerability” is an evidence of the emerging trend.  Exploiting the library used by Internet Explorer, this “Double Kill” bug could let an attacker execute code with the current user’s privileges.

A malicious RTF file attached to an email contains an OLE object, which downloads and renders a HTML page when activated. VBScript on the page uses the exploit to grab a remote payload to the endpoint.

Even though Microsoft has patched both CVE-2017-0199 and CVE-2018-8174; some individuals and organizations may still be vulnerable due to procrastinating with their patching.

Why Office Documents?

Office Documents are convenient because they can be used with applications that are targeted in the browser. Links sent in malicious emails will open in Internet Explorer. Since most systems do not have IE as their default browser, they could be having outdated and vulnerable versions of IE which will automatically be used to open the links received in emails. Hence, an Internet Explorer zero-day embedded in a word file can be used to target a system that doesn’t use IE as default browser.

The remotely hosted malware attacks are trending because they tend to evade the security systems. When differentiating between ‘good’ and ‘bad’ content, a security system can let a document slip if it only contains a link, whereas a document containing the malware itself can easily be scanned and detected by antiviruses.

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.