Phishing attacks use undocumented MS Office feature to leak system profile data



undocumented_ms_office_feature.jpegAn undocumented Microsoft Office feature allows attackers to gather sensitive configuration details on targeted systems simply by sending a phishing email and social engineering victims to open a specially crafted Word document—no VBA macros, embedded Flash objects or PE files needed.

The undocumented feature is being used by adversaries, according to Kaspersky Lab researchers, as part of a multistage attack that first involves gathering the system configuration data on targeted systems.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” wrote Kasperky Lab researchers in a blog post Monday explaining their research.

The feature is present in Word for Windows as well as on Microsoft Office for iOS and in Microsoft Office for Android. Researchers say they have observed several spear phishing campaigns containing the malicious attachments that are laying the groundwork for future attacks using this technique.

“To ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them. In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit,” researchers said.

Emails in the phishing campaign contained Word documents in OLE2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple resources or other objects in a single Word document. Using it can allow an author to create a field in a document that “points” to the graphic file as opposed to simply embedding the graphic file, for example.

When researchers looked closer at the underlying code behind questionable Word attachments that were part of the phishing campaign they found the field “INCLUDEPICTURE” that was using Unicode as part of its instructions and not ASCII format as it should have.

Using that Unicode framework, hackers were able to manipulate the code to trigger GET request to malicious and obfuscated URLs contained within the underlying code of the very same Word document attachment. Those links then pointed to PHP scripts located on third-party web resources. “As a result, the attackers received information about the software installed on the computer,” they said.

Researchers identified the undocumented Microsoft feature only as INCLUDEPICTURE field. “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field,” they said. “This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks.

In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky researchers said. They said there is nothing suspicious about the Word document at first glance, just Google search tips.

Another excellent reason to train your users...


I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Get A Quote

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat_get_a_quote_now

Let's stay safe out there.

Warm regards,

Stu Sjouwerman,

Founder and CEO, KnowBe4, Inc

NewStu.png

Source


Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews