A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.
Distributed as attachments to phishing emails, these documents were in OLE2 format and contained links to PHP scripts located on third-party web resources. As soon as a user opens the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the computer.
An analyzed document contained tips on how one could use Google search more effectively and doesn’t appear to be suspicious, especially since it doesn’t contain active content, embedded Flash objects or PE files. However, as soon as a user opens the document, Word sends a GET request to an internal link.
“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” the security researchers say.
The security researchers discovered that the document used an undocumented Word feature, where an INCLUDEPICTURE field is used. This field indicates that an image is attached to certain characters in the text, but attackers used it to include a suspicious link there, although not the URL addressed by Word.
While the text in the Word document is stored in a raw state, so-called fields are used to indicate in which way portions of the text should be presented. A specific byte indicates that the raw text ends and the field INCLUDEPICTURE begins, and separator, and end bytes are also associated with the field.
In the analyzed document, a byte between the separator and the end indicates that an image should be inserted at that point. After locating the byte sequence with the picture placeholder, the researchers concluded at which offset the image should be located in the Data stream. The offset turned out to be a Form, and its name was another suspicious link.
Because the link was only an object name, it wasn’t used in any way, but a combination of flags was used to indicate that additional data should be attached to the form. This data, the researchers say, “constitutes a URL that leads to the actual content of the form.”
A a ‘do not save’ flag prevented the content from being saved to the actual document when it is opened.
The issue, the Kaspersky researchers say, is that “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.” They couldn’t find information on what the data that follows the separator may mean, and how it should be interpreted, which was the main problem when trying to understand how the document was following the URL.
“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.
This Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android, the researchers discovered. However, LibreOffice and OpenOffice do not have it, meaning that Word documents opened with any of these applications won’t call the malicious link.
Related: Office’s OLE Leveraged to Hide Malicious Code
Related: Macro Malware Dridex, Locky Using Forms to Hide Code