Another Day, Another Bug

Image source: https://stixproject.github.io/documentation/idioms/maec-malware/

An article I posted on Facebook a few years back led me to Ars Technica, where I found this report. Where they are simultaneously lauding Microsoft’s Windows 10 and detailing how this bug works, they cite reports by McAfee and FireEye.

Quoting the article on McAfee:

We strongly suggest Office users take the following actions to protect or mitigate against this zero-day attack before Microsoft issues an official patch. We notified the Microsoft Security Response Center as soon as we found the suspicious samples, and we will continue to work with them to protect Office users.

  •  Do not open any Office files obtained from untrusted locations.
  •  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

Here is a link to the full article. Question for you techies, Will McAfee ever live down its reputation? Now that Intel owns this security software, is it legit?

And from the post on FireEye:

FireEye email and network products detect the malicious documents as: Malware.Binary.Rtf.

Attack Scenario

The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.

The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents. Microsoft Office users are recommended to apply the patch as soon as it is available.