Microsoft has just released a patch for a recently discovered bug in Word that allows a malicious document to install malware when opened, even if the user does not enable macros in Office. This vulnerability is being used by spammers to distribute various forms of malware including the Dridex banking trojan. While Cloudmark’s spam filtering is currently flagging these attacks as spam, our logs indicate that a handful of users are taking the emails out of their spam folder. If they open the attached Word document, this makes them vulnerable to malware which could steal their banking or e-commerce credentials.
The attack depends on Office’s Object Linking and Embedding (OLE) feature, which allows one document to load and reference another. OLE was introduced in 1990, before the rise of the World Wide Web and email spam. It’s one of those products where security has had to be built in later, which is always more precarious than designing a secure product from the ground up. As a result, OLE has a large potential attack surface. (See https://www.blackhat.com/docs/us-15/materials/us-15-Li-Attacking-Interoperability-An-OLE-Edition.pdf [PDF].) In this case, an RTF file with a .doc suffix is sent as a email attachment. If the attachment is opened by Word, the embedded OLE2Link object then downloads an .hta file disguised as an RTF document, which executes malicious Visual Basic code. This code disguises the operation of the trojan, and downloads the final malware payload.
Most malicious Word documents rely on macros to compromise the target. By default, active content, including macros, is disabled in Word unless you specifically identify the document as trusted. Attackers must rely on social engineering techniques to trick a victim into enabling active content. However, this attack does not require macros to be enabled, thus making it more likely to be effective. This also makes the malicious code invisible to anti-virus (AV) filters that are looking for malicious macros. However, the malicious OLE link is now currently by more than half of the AV programs in VirusTotal.
Even if malware attachments to email try to evade AV software detection by being polymorphic or using encrypted files, spam filtering still has a good chance of flagging the email as malicious using the envelope data. (See Anti-Virus the Cloudmark Way.) We are seeing a Dridex attack coming from the Necurs botnet which has also been used to distribute the Locky ransomware. Most of the IP addresses of machines in any spam sending botnet will already be blacklisted by Cloudmark and other anti-spam organizations. These may not even be allowed to connect to our clients’ mail servers, or if they are, anything they send will go straight to the spam folder. For newly infected bots that we have not yet blacklisted, there are other filters, based on automatically generated signatures and user feedback, which generally respond to new threats faster than manually generated AV signatures. This is not to say that you should do without AV software. Both static and active AV tools are an important layer of defense, but they should not be the only thing you rely upon.
The Dridex/Necurs attack is a pretty simple email, containing nothing but an attached document.
You would think that when a message like that is consigned to the spam folder, people would leave well alone, but according to our logs, one user out of every few thousand is putting it back in their inbox. Though this is not a high success rate for the spammers, if infections result in them being able to drain bank accounts, then there is enough return for them to keep on going. User training is a dull but vital part of information security.
If you use Microsoft Word and have not yet installed the latest update, you can do so by going to the Help menu and selecting Check for Updates. This may not be the last attack on OLE that we see, so avoid opening email attachments unless you are expecting them and they come from a trusted source, especially if they end up in you spam folder.