Microsoft Word subDoc Feature Abused to Steal Windows Credentials

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Windows-login.png


The security research team at Rhino Labs, a US-based cyber-security company, has discovered that malicious actors can use a lesser-known Microsoft Word feature called subDoc to trick Windows computers into handing over their NTLM hashes, the standard format in which user account credentials are stored.

At the heart of this technique is a classic NTLM pass-the-hash attack, which has been known about for years. What's different, according to Rhino Labs, is the way this can be carried out, via a Word feature called subDoc that allows Word files " to load sub-documents from a master document."

How the subDoc attack works
Rhino Labs experts say that attackers can put together a Word file that loads a sub-document from a malicious server.

Attackers can host a malicious SMB server at the other end of this request, and instead of delivering the requested sub-document, they trick the victim's PC into handing over the NTLM hash needed for authentication on a fake domain.

There are numerous tools available online for cracking NTLM hashes and obtaining the Windows credentials within. Attackers can then use these logins to access the victim's computer or network, posing as the original user.


This type of hack is ideal for spear-phishing campaigns aimed at high-value targets, such as enterprises or government agencies.

Rhino Labs has also released a tool for generating subDoc-weaponized Word files so that system administrators and security researchers can carry out their own tests. The tool is named SubDoc Injector, is available on GitHub, and was authored by former LulzSec member Hector "Sabu" Monsegur, now part of the Rhino Labs team. Rhino Labs has also published a technical post with a step-by-step reproduction of the subDoc attack.
 
  • Like
Reactions: silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top