Tag Archives: macros

Attackers Turn to OpenDocument Files Attempting to Bypass Attachment Scanning

Earlier last week Cisco Talos researchers discovered 3 OpenDocument files that were being used in an attempt to deliver malware to their intended targets.

================
TL DR
================
For any email attachment you receive, if you weren’t expecting it, don’t open it. Be cautious of clicking unknown or potentially suspicious links received within emails or via social media. If you use alternatives to Microsoft Office e.g. OpenOffice, LibreOffice or StarOffice within your organisation, small business or home office consider scanning files you receive from others with your anti-malware software before opening them. Keep your office/productivity software up to date.

Why should these files be considered a potential risk?
Since OpenXML Microsoft Office files are compressed archives they are commonly treated as such by anti-malware software and scanned. However, this is not always the case for OpenDocuments (ODT) and they are not always opened within malware sandboxes (defined) or by anti-malware software meaning they can be used to deliver malware that would otherwise be detected and blocked. This is despite the fact that While these documents are also Zip archives with XML files.

Description of the 3 files found and analysed are as follows:

File 1:
The file contained an embedded OLE object (defined) which the person opening the files must accept a prompt in order for that embedded object to be executed targeting Microsoft Office. When accepted the object executes an HTA file (defined) which in turn downloads 2 scripts which are used to download a remote access trojan (RAT)(defined) in one instance the NJRAT and the other the RevengeRAT malware.

File 2:
Once again targeting Microsoft, this file also contained an OLE object but this time it downloaded a fake Spotify.exe. This file downloads another file which is packed to disguise its true purpose from anti-malware software. This packed file actually contains the AZORult information stealer.

File 3:
The final files targets OpenOffice and LibreOffice. The attackers used their equivalents of Microsoft Office macros (defined) to download and run a file called “plink” which sets up SSH connections. However, Talos found that the connection being set up when intended for an internal address rather than an external address located on the internet. They assume this was either for use within a commercial penetration testing programme (due to it attempting to download Metasploit (defined) payloads to be executed with WMI scripts (defined) ) or may be used for lateral movement within the network.

How can I protect my organisation or myself from these threats?
Exercise standard caution when receiving email attachments. If you weren’t expecting the file, don’t open it even if it comes from someone you know/trust. Be cautious of links within emails or received by social media or another means. Consider scanning files intended for OpenOffice, LibreOffice or StarOffice before opening them. If those files begin asking confirmation to carry out actions, DON’T provide your consent.

Since such attachments may contain personal information, please pause and think before you upload them to online scanning services e.g. VirusTotal.

Thank you.

Malware uses DNS protocol for command and control

In early March two Cisco Talos security researchers Edmund Brumaghin and Colin Grady released details of a multi-stage trojan horse which communicates with it’s creator(s) using the Domain Name Service (DNS)(defined) protocol.

Since DNS is a widely used essential protocol it is often allowed to pass through corporate and personal firewalls. The source of the malware is an email containing an attachment reportedly secured with McAfee. The attachment is a Microsoft Word document which when opened requests to enable macros (defined). If the user enables macros the macros unpacks a Microsoft PowerShell script (a computer programming language usually used for automating system administration tasks) which forms the second stage of the attack.

Next the script checks if currently logged in user has administrator rights for their Windows account and checks the installed version of PowerShell. The script then adds a backdoor (defined). If the earlier check for administrative privileges was positive the backdoor will persist after restarting or powering off the system. This backdoor uses DNS to receive and carry out commands from it’s creators.

While analysing this threat, the above mentioned security researchers did not witness the malware receiving DNS commands due to its targeted nature.

How can I protect myself from this threat?
Sine this malware arrives via email, please verify the emails you receive are genuine and not attempting to deliver malware. SANS recently provided extra advice on this (March 6th : source)

=======================
Don’t Trust Links Sent in Email Messages March 6, 2017
A common method cyber criminals use to hack into people’s computers is to send them emails with malicious links. People are tricked into opening these links because they appear to come from someone or something they know and trust. If you click on a link, you may be taken to a site that attempts to harvest your information or tries to hack into your computer. Only click on links that you were expecting. Not sure about an email? Call the person to confirm they sent it.
=======================

In addition if you inspect network traffic within your corporate network, please consider adding DNS to the list of protocols analysed. Attackers are likely to leverage this widely allowed protocol for command and control (defined) going forward.

Thank you.