This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.
For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.
SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.
Along with these new vulnerabilities, these Microsoft Office document exploit kits also have strengthened their tactics and added new complexities to their attacks. For example, the newest version of the Microsoft Word Intruder now includes the ability to deploy a decoy document, as well as new payload files that are relocated to the end of the exploit block. The decoy document allows the attackers to better hide their tracks while the exploit is at work.
Despite all these changes, one thing that hasn’t really changed is the delivery system. These exploits are still sent via email – regardless of whether it’s a 0-day targeted attack or a large-scale attack on a wide audience.
These emails use common social engineering methods to urge the recipient to open the malicious attachment, which generally looks like a Microsoft Word document in DOCX format. Often the payload from these attacks will point the victim to a command-and-control server that hosts webpages to phish additional credentials, such as email, from the victim.
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts.