Delaware, USA – October 17, 2018 — Researchers at Cisco Talos discovered several campaigns that use the new trick to infect victims with infostealers. Attackers distribute Loki, Agent Tesla and Gamarue malware, which can steal passwords from popular programs, take screenshots, record video from a webcam and download additional payload. Researchers associate these campaigns with a group that spread FormBook Infostealer since May of this year and used infamous Microsoft Word vulnerabilities CVE-2017-0199 and CVE-2017-11882 to infect their victims. To trick antivirus solutions, attackers leverage Microsoft Object Linking and Embedding as well as many control words in RTF body, so parsers ignore anything they don’t know and AV tools mark the document as safe. During the scan of a malicious document, only 2 antiviruses identified the file as suspicious. Attackers leverage the \objupdate trick to force the embedded object to update before it’s displayed, so attacked user does not have to click on the object before it’s loaded, and the exploit starts immediately after malicious Word file is open.
Threat actor behind this campaign can easily create new malicious documents that will bypass AV solutions. Other cybercriminals and APT groups also can weaponize this technique to deploy various malware. To discover this exploit chain with your security solutions, you can use free rules created by Florian Roth: https://tdm.socprime.com/tdm/info/1132/
It is also recommended to use Sysmon Framework rule pack to detect suspicious activity on Windows systems: https://my.socprime.com/en/integrations/sysmon-framework-hpe-arcsight