Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Macro-Based Multi-Stage Attack Delivers Password Stealer

A malicious attack uses a multi-stage infection to deploy malware that is capable of stealing passwords from various applications on a victim’s computer, Trustwave reports.

A malicious attack uses a multi-stage infection to deploy malware that is capable of stealing passwords from various applications on a victim’s computer, Trustwave reports.

The attack starts with spam emails distributed from the Necurs botnet to deliver macro-enabled documents, such as Word docs, Excel spreadsheets, or PowerPoint presentations, to the targets.

As part of this infection campaign, DOCX attachments containing an embedded OLE object that has external references was used. Thus, external access is provided to remote OLE objects to be referenced in the document.xml.rels, Trustwave explains.

As soon as the user opens the file, a remote document is accessed from the URL hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. Although it has a .doc extension, the file is actually a RTF document.

Once executed on the victim’s system, the file attempts to exploit the CVE-2017-11882 vulnerability that Microsoft patched last November in the Office’s Equation Editor tool, and which has been already abused in a wide range of attacks.

The RTF file executes an MSHTA command line to download and execute a remote HTA file. In turn, the HTA file contains VBScript with obfuscated code which decodes to a PowerShell Script designed to fetch and run a remote binary file.

This binary is the final payload that turns out to be a password stealer malware family capable of gathering credentials from email, FTP, and browsers installed on the victim’s machine. For that, it concatenates available
strings in the memory and uses the
RegOpenKeyExW and PathFileExistsW APIs to check if registry or paths of various programs exist.

The malware was observed sending the harvested data to its command and control (C&C) server via a HTTP POST request.

The most interesting aspect of this attack is the use of multiple stages to deliver the final payload, an approach that Trustwave calls unusual. The security researchers also point out that this long infection chain is more likely to fail compared to other, more straightforward attacks.

“Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,” Trustwave concludes.

Related: Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office

Related: Zyklon Malware Delivered via Recent Office Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.