Multi-Stage Word Attack Infects Users Without Using Macros (infection with password stealer)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Spam distributors are using a new technique to infect users with malware, and while this attack relies on having users open Word documents, it does not involve users having to allow the execution of macro scripts.

This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.

The company says crooks are using this multi-phase, no-macros technique to infect users with a password stealer. Currently, evidence suggests only one group is using this novel trick, albeit this will surely be adopted by others.
Click to expand...

New technique's exploitation chain
The actual exploitation chain is detailed below and relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell.

⏩ A victim receives a spam email with a DOCX file attachment.
⏩ Victim downloads and opens the DOCX file.
⏩ DOCX file contains an embedded OLE object.
⏩ OLE object downloads and opens an RTF (disguised as a DOC) file.
⏩ DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
⏩ Exploit code runs an MSHTA command line.
⏩ MSHTA command line downloads and runs an HTA file.
⏩ HTA file contains a VBScript that unpacks a PowerShell script.
⏩ PowerShell script downloads and installs the password stealer.
⏩ Malware steals passwords from browsers, email and FTP clients.
⏩ Malware uploads data to a remote server.

....
........
..
............
Click to expand...
 
  • Like
Reactions: WinXPert, Solarquest, silversurfer and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,170
Even old Windows built-in SRP (Basic User or Dissallowed) or AppLocker will stop it because of
forced PowerShell Constrained Language mode (Windows 7+ with PowerShell 5.0). Also, the VBScript payload and final EXE paylod can be stopped on Windows XP+ by SRP (Dissallowed) .:)
 
Last edited:
  • Like
Reactions: AtlBo, silversurfer, harlan4096 and 1 other person
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Applause
Dridex Malware Now Attacking macOS Systems with Novel Infection Method
Replies
0
Views
583
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus
Replies
1
Views
741
News Archive
Andy Ful
Andy Ful
SeriousHoax
    • Like
    • Wow
Magniber ransomware now infects Windows users via JavaScript files
Replies
17
Views
1,682
News Archive
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top