Malicious Word File Auto Downloads Additional Malware
Cyber criminals have now resorted to a new attack vector – auto downloading malware. If a victim is tricked into downloading a malicious Word file, this file in turn automatically downloads another malicious file of a different format. Successful downloads lead to a remote access Trojan (RAT) infection.
A unique feature of this malware is that it exploits a built-in feature in MSWord. Whenever a Word file is opened, this feature automatically updates any links contained in the file. The first file contains an embedded link that downloads the RAT. This vulnerability is known as CVE 2017-0199 and the RTF file exploits this weakness.
This exploit has somehow been able to suppress display of that warning as well as the user response required for the warning.
CVE 2017-0199 exploited in PPSX file
A group of cyber security researchers has observed that the same pattern of exploits had been undertaken with a PPSX file instead of the MSWord file. The attack map was initiated by sending emails with a malicious PowerPoint Open XML Slide Show attachment. The malicious link is contained within this PPSX file. This link does require user interaction and automatic downloading does not take place. However, the user does not have to click on the link; just hovering over the link is more than sufficient for the link to trigger and initiate the download of the RAT.
Cyber criminals will keep finding out new attack vectors to thwart defenses. In the attacks explained above, the threat actors had not exploited any vulnerabilities in macros and had not used any macros; They had exploited the mouse over facility to trigger the link to download the malware.
Attack vectors will evolve. It will be up to IT security administrators to secure their enterprise network and data with a robust cloud-based endpoint security solution to stay protected from cutting-edge attacks.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.