Word exploits weaponised in quick time

The bad guys were especially efficient at turning the CVE-2017-0199 Word exploit into a potent attack, according to a SophosLabs analysis.

Principal Researcher Gábor Szappanos outlined the sequence of events in “CVE-2017-0199: life of an exploit,” a paper published today.

He wrote:

The normal lifecycle of an Office exploit starts with the initial use in targeted attacks. Then, at some point, the information leaks out and cybercrime groups start using it more widely. Offensive security researchers then start experimenting with antivirus evasion, and the exploit finally ends up in underground exploit builders. Normally this cycle can take a few months. In the case of the CVE-2017-0199 Word exploit, we have observed this at a much more accelerated time scale.

Exploit history

The following chart shows the lifecycle of the CVE-2017-0199 Word exploit:

The vulnerability has been used for months in targeted attacks, and most of the activity happened in March and April. But the first samples date back to November. Szappanos wrote:

At this point, most security researchers and virus labs didn’t have reliable information about the exploit, let alone samples. Yet somehow the criminals behind the Dridex distribution campaigns found a working sample of the exploit and started using it for malware distribution all within a couple of days.

They could react quickly because they were reusing their own already existing distribution mechanism, he wrote.

The paper goes on to outline specific steps the bad guys took to turn the exploit into an effective series of attacks. The PDF is available on Sophos.com’s technical papers page.

Word zero-day attacks

Szappanos decided to delve deeper after attackers used a previously undisclosed Word zero-day vulnerability to install a variety of malware on victims’ computers.

The attacks culminated in Microsoft releasing a patch on April 11 for the vulnerability, which was triggered when users opened a document with a benign-looking download warning, followed by a download from a booby-trapped server that sent a document of a more dangerous sort.

In this case, the booby-trapped server sent out a compiled HTML file with an embedded program script. Word accepted and ran the script without producing the warning you would expect to see.

It affected all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks did not rely on enabled macros, so no warning for macro-laden documents appeared. The Dridex banking Trojan was among the malware used in some of the exploits.

The patch and other defenses

Sophos detected the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers were protected.

The ultimate solution was to install Microsoft’s patch, but at the time Naked Security offered the following suggestions for a more robust defense:

• If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
•  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
• Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
• Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
• Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.