Microsoft Word Intruder, or MWI for short, is a toolkit for sneaking malware onto your computer using booby-trapped Word files.
The idea is that instead of sending you an email with a link you have to click, crooks can send you an innocent-looking document with a believable backstory, such as a courier parcel that couldn’t be delivered, or a bogus invoice, or a fake quotation.
Documents are supposed to be data, not programs, so it ought to be safe to open them to see what’s inside.
But exploit kits like MWI can create documents that are unsafe to open, at least if you haven’t patched Word recently, because they deliberately trigger a bug, or vulnerability, which causes hidden program code inside the booby-trapped file to run without any prompts or warnings.
MWI can build booby-trapped files on demand, primed with malware that will be installed silently when the document is opened.
The author of MWI, known as Objekt, offers a service to other cybercriminals, packaging their malware into exploit files, so they don’t need to become experts in Word files or exploits themselves.
We’ve been following Objekt’s business operation for a while, and we have already written about both the MWI tool and some of the malware campaigns it has serviced.
In the past, MWI used a combination of older Office exploits known as CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761.
But we reported recently that a new exploit, dubbed CVE-2015-1641, had found its way into the daily routine of cybercrime groups.
A new exploit is always of interest to malware authors, because it extends their reach: they can now attack users who have patched recently, even if they can’t infect users who are completely up-to-date.
So it was just a question of time as to when Objekt would integrate the CVE-2015-1641 exploit into his MWI “cybercrime service”.
That moment has now arrived.
In fact, the document we analysed for this article used only the new CVE-2015-1641 exploit, with the the three older exploits removed altogether.
The implementation of the exploit uses a very similar approach to the one we described in our earlier writeup, in which the malicious code triggered by the exploit is deliberately scrambled inside the booby-trapped file, thus making its presence less obvious.
We have seen one sample using this method:
SHA1: 0f09717cd8a1b64de47e4b54913c2953a0a6f55c Name: Прайс.doc
The filename is in Russian, and translates as Price.doc, a good filename to go with an email that claims to be a quotation.
If you open the above sample in an unpatched version of Word, the exploit will covertly install software called LiteManager on your PC.
LiteManager is a remote administration tool, the sort of program that is often used purposefully by IT departments and support staff for legitimate remote support.
But tools of this sort, if installed illegally and covertly by crooks, aren’t there to help you if you get stuck or have technical problems.
They’re there to allow unlawful access for criminal purposes, anywhere from sending spam and attacking other websites to stealing personal or company documents and passwords.
To make the software less obvious, and to give it an air of legitimacy if you should notice it, MWI installs it into the folder:
%PROFILE%\AppData\Roaming\MicrocoftUpdate\
WHAT NEXT?
Microsoft Word Intruder is an exploit generator under constant development.
Office exploits are added to it irregularly, when older exploits became less effective as unpatched computers either get patched at last, or get infected and end upreinstalled with more recent software.
Even the old exploits in MWI had a 15-50% success rate, so with the new exploit in place, we can expect higher infection rates for malware campaigns using MWI.
MWI was not the first exploit generator to adopt the CVE-2015-1641 exploit, but is nevertheless a reminder that cybercriminals are not resting.
We should not rest either in our defensive efforts – and that includes patching!
If you haven’t been reading Naked Security’s Advent Tips series for December 2015, why not start with our reminder about the importance of updates…
💡 LEARN MORE – The CVE-2015-1641 vulnerability ►
Sophos products detect MWI-generated documents that use this exploit as Troj/20151641-A. Note that LiteManager is a legitimate application, ripped off and used unlawfully in this attack. Even though it is not malware, however, it can be blocked by Sophos Application Control, along with many other potentially risky tools. Sophos identifies it as AppC/LiManS-A.
Richard
Any idea if this can be activated through Outlook’s preview feature, too? I’m fairly certain it’s a component separate from Word itself.
Paul Ducklin
I rather doubt it, at least in this case. But I’ll ask Szappi…
Gabor Szappanos
It depends on the Office versions. In my tests exploits could be activated in Outlook’s preview in Office 2007, but not in Office 2003 or 2010. Looks like the preview feature is not that separate from Office.
Jay
Wonder if EMET would catch this?