Attackers explore the new vector of malware delivery using SettingsContent-ms files

Delaware, USA – July 5, 2018 – Less than a month has passed since the publication of Proof-of-Concept code that can be used to deliver malware using the SettingContent-ms files, and now security researchers discovered the first working exploitation chains. On June 11, Matt Nelson published the research of a new possible attack vector, and since that time attackers started experiments on building an effective exploitation chain. The SettingContent-ms files can be used to execute arbitrary code on Windows 10 based systems. They are shortcuts containing the element, which allows anyone to execute binary with the specified parameters without any warnings. These files can be embedded via OLE into Microsoft Office documents and initiate the download of malware without causing suspicion of security solutions. One of the detected working exploiting chains downloaded Remote Access Tool to the victim’s computer. Nick Carr, the security researcher form FireEye, discovers new attempts to exploit this attack vector every day, mostly they are just PoC testing, but the appearance of the first working samples indicates possible active campaigns in the near future.

A similar situation was with the exploitation of the DDE feature in Microsoft Office. Within a month attackers started its massive use for the distribution of Ransomware and Trojans. Even infamous APT groups used this technique in their campaigns. While there are no ways to detect the malicious use of the SettingContent-ms files, you can use APT Framework with your SIEM to uncover advanced malware that can bypass regular security tools.