Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Attack Fingerprints Users Using Word Documents

A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.

A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.

Distributed as attachments to phishing emails, these documents were in OLE2 format and contained links to PHP scripts located on third-party web resources. As soon as a user opens the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the computer.

An analyzed document contained tips on how one could use Google search more effectively and doesn’t appear to be suspicious, especially since it doesn’t contain active content, embedded Flash objects or PE files. However, as soon as a user opens the document, Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” the security researchers say.

The security researchers discovered that the document used an undocumented Word feature, where an INCLUDEPICTURE field is used. This field indicates that an image is attached to certain characters in the text, but attackers used it to include a suspicious link there, although not the URL addressed by Word.

While the text in the Word document is stored in a raw state, so-called fields are used to indicate in which way portions of the text should be presented. A specific byte indicates that the raw text ends and the field INCLUDEPICTURE begins, and separator, and end bytes are also associated with the field.

In the analyzed document, a byte between the separator and the end indicates that an image should be inserted at that point. After locating the byte sequence with the picture placeholder, the researchers concluded at which offset the image should be located in the Data stream. The offset turned out to be a Form, and its name was another suspicious link.

Because the link was only an object name, it wasn’t used in any way, but a combination of flags was used to indicate that additional data should be attached to the form. This data, the researchers say, “constitutes a URL that leads to the actual content of the form.”

Advertisement. Scroll to continue reading.

A a ‘do not save’ flag prevented the content from being saved to the actual document when it is opened.

The issue, the Kaspersky researchers say, is that “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.” They couldn’t find information on what the data that follows the separator may mean, and how it should be interpreted, which was the main problem when trying to understand how the document was following the URL.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

This Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android, the researchers discovered. However, LibreOffice and OpenOffice do not have it, meaning that Word documents opened with any of these applications won’t call the malicious link.

Related: Office’s OLE Leveraged to Hide Malicious Code

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.