Security News Researchers Warn of New Microsoft Zero-Day

frogboy

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Security experts are warning of a critical zero-day threat that has been targeting Microsoft Word users since late January.

The attack allows hackers to remotely execute code on a targeted computer by tricking the user into opening a Word doc containing an embedded exploit.

The Windows Object Linking and Embedding (OLE) is primarily targeted with this exploit, which works on all versions of Office up to Office 2016 running on Windows 10.

FireEye, which has been working with Microsoft on the issue “for several weeks”, explained that a hacker would first email a Word document booby-trapped with a malicious embedded OLE2link object.

It continued:

“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Read More. Researchers Warn of New Microsoft Zero-Day
 
  • Like
Reactions: Der.Reisende, Terry Ganzi, Faybert and 21 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Attacks Detected with New Microsoft Office Zero-Day

3 interesting points:
...
While the attack uses Word documents, OLE2link objects can also be embedded in other Office suite applications, such as Excel and PowerPoint.
...
The attack routine does not rely on enabling macros, so if you don't see a warning for macro-laced documents, that doesn't mean the document is safe.

.....
If the victim uses Office Protected View when opening files, the exploit is disabled and won't execute. If the user has disabled Protected View, the exploit executes automatically, making an HTTP request to the attacker's server, from where it downloads an HTA (HTML application) file, disguised as an RTF.

What is Protected View? - Office Support
 
  • Like
Reactions: WinXPert, Cats-4_Owners-2, frogboy and 6 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Microsoft Office Zero-Day Used to Push Dridex Banking Trojan

The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero-day to spread a version of their malware, the infamous Dridex banking trojan.

It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend.

Dridex campaign targeted Australian users
According to cyber-security firm Proofpoint, who discovered the Dridex spam campaign delivering Word documents weaponized with this zero-day, the spam wave consisting of millions of emails targeted mainly Australia.

The Dridex malware version delivered through these emails, which mimicked document scans, contained configurations to target a slew of Australian banks via the installation of Dridex botnet ID 7500, one of the many Dridex variants active today. Proofpoint reported activity from the Dridex botnet ID 7500 last week, yet a spokesperson has not confirmed if the group was using the zero-day at that time.

This campaign is the first time when we see the Dridex group using an unpatched zero-day for distributing their malware. Usually, the group relied on Word files laced with macro scripts.

Microsoft to patch zero-day today
.....
 
  • Like
Reactions: Deleted Member 3a5v73x, WinXPert, frogboy and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Just disable MSHTA, you don't need it anyway.
 
WinXPert

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
Lockdown said:
As simple as that... unless you absolutely have no other choice or option except to use Microsoft Office.
Click to expand...

Peter2150 said:
I love it when people say that. Name something that will do the same things I have to do with office and I'd consider it.
Click to expand...

WPS Office is a good alternative. I haven't used the latest Libre Office version so idk how good it is now. And there is Ability Office too which I got from Sharewareonsale.
 
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Microsoft should integrate proper Smartscreen filtering component on Windows apps including Office, besides to protected mode feature.

Remember that a user will only stop to proceed on next operation when a notification is shown which considered malicious.
 
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Peter2150 said:
Unfortunately none of them come even close. At least Ability has an access like database. But none of them have anything like Outlook. And while a pain it is one of my bread and butter applications.
Click to expand...
I agree 100%. If you use an office suite seriously, and take advantage of its features, then MS Office really has no competitors.
If you just want to type a letter, so use google docs.
 
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
So it seems the execution of arbitrary code on the user's computer does not require the activation of the macro (exploited by the majority of the attacks detected in the past).
 
  • Like
Reactions: shmu26
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
Replies
0
Views
1,301
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Thanks
Security News South Korean hackers exploited WPS Office zero-day to deploy malware
Replies
4
Views
2,379
Security News
cartaphilus
cartaphilus
lokamoka820
    • +Reputation
    • Like
Security News Google Chrome Hit by Yet Another Zero-Day Exploit, Update Now
Replies
7
Views
3,133
Security News
Divine_Barakah
Divine_Barakah

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top