Macro-less Microsoft Word spam attachments infect users with malware

Word document attachments that spread malware no longer asks to enable Macros

For many years, spam email with malicious attachments is the method that executed 93% of malware^[1] for the last couple of years. Judging from the latest news by Trustwave SpiderLabs^[2] researchers, it seems that the dissemination of malware, mainly Trojan, Spyware, Keyloggers, Worms, and Ransomware, will further depend on how many malicious email attachments people are going to open. Nevertheless, hackers are going to introduce one important change – from now on, people may receive spam with malicious Word Document, Excel or PowerPoint attachments without a requirement to run a Macros script. If earlier malware were executed only when the potential victim enabled Macros,^[3] now it will be activated by just double-clicking on an email attachment.

Macro-less technique is already in use

Although researchers managed to detect it only in the beginning of February, it seems that the Macro-less technology has been released way too earlier and potential victims might have already received them.

This new Macro-free spam campaign uses malicious Word attachments activate four-stage infection, which exploits the Office Equation Editor vulnerability (CVE-2017-11882) to obtain code execution from the victim’s email, FTP, and browsers. Microsoft had already patched the CVE-2017-11882 vulnerability last year, but many systems did not receive the patch for whatever reasons.

The Macro-free technique used to spread malware is inherent to a .DOCX formatted attachment, while the origin of the spam email is Necurs botnet.^[4] According to Trustwave, the subject can vary, but all of them have a financial relationship. Four possible versions have been noticed:

• TNT STATEMENT OF ACCOUNT
• Request for Quotation
• Telex Transfer Notification
• SWIFT COPY FOR BALANCE PAYMENT

SpiderLabs approved that the malicious attachment coincides with all types of Macro-less spam emails. According to them, the .DOCX attachment is named as “receipt.docx.”

The chain of Macro-free exploitation technique

The multi-stage infection process starts as soon as the potential victim opens the .DOCX file. The latter triggers an embedded OLE (Object Linking and Embedding) object that contains external references to hackers servers. This way, hackers get remote access to OLE objects to be referenced in the document.xml.rels.

Spammers exploit the Word (or .DOCX formatted) documents that have been created using Microsoft Office 2007. This type of documents uses the Open XML Format, which is based on XML and ZIP archive technologies. Attackers found the way to manipulate these technologies both manually and automatically. After that, the stage two starts only when the PC‘s user opens the malicious .DOCX file. When the file is opened, it establishes the remote connection and downloads an RTF (rich text file format) file.

When the user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually an RTF file that is downloaded and executed.

That‘s how Macro-less malware execution technique looks like schematically:

• A potential victim gets an email with a .DOCX file attached.
• He or she double-clicks on the attachment and downloads an OLE Object.
• Now the supposed Doc file, which is in reality RTF, eventually opens.
• The DOC file exploits the CVE-2017-11882 Office Equation Editor vulnerability.
• The malicious code runs an MSHTA command line.
• This command downloads and executes an HTA file, which contains VBScript.
• The VBScript unpacks a PowerShell script.
• Powershell script subsequently installs the malware.

Keep Windows OS and Office up-to-date to protect yourself from Macro-less malware attacks

Cybersecurity experts haven’t yet found a way to protect people’s email accounts from Necurs attacks. Probably a hundred percent protection will not be found at all. The most important piece of advice is to stay away from doubtful email messages. If you haven’t been waiting for an official document, but you receive one out of nowhere, do not fall for this trick. Investigate such messages for grammar or typo mistakes because official authorities will hardly leave any mistakes in their official notifications.

In addition to carefulness, it’s important to keep Windows and Office up-to-date. Those who have disabled auto-updates for a long time are at high risk of severe virus infections. Outdated system and software installed on it may feature vulnerabilities like CVE-2017-11882, which can only be patched by installing the latest updates.