MalDocs in Word and Excel: An ongoing security challenge

Highlights

  • Old vulnerabilities are still a risk: Despite being quite old, the CVEs of 2017 and 2018 at Microsoft Word and Excel active cybersecurity threats remain. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.

  • Widespread use by cybercriminals: These vulnerabilities are exploited by known malware such as GuLoader, agent tesla, Formbook and other. APT groups have also joined the list, with Gamaredon APT being a notable example. They target lucrative sectors such as finance, government and healthcare, indicating a strategic approach by attackers.

  • Challenges to Detect: Despite their age, these MalDocs they can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.

Persistent threats from old vulnerabilities

In the ever-evolving world of cybersecurity, new threats emerge every day. However, some old vulnerabilities, specifically in Microsoft Word and Excel, still pose a significant risk. These include the CVE-2017-11882, CVE-2017-0199 and CVE-2018-0802, which are still effectively used in cyber attacks despite not being zero-day vulnerabilities.

Use by known malware

These vulnerabilities have contributed to the spread of various notorious malware families. For example, malware Dridex took advantage of it CVE-2017-0199 in 2017, while, in the following years, the GuLoader and agent tesla they used it CVE-2017-11882. Another example includes the Gamaredon APT which took advantage of CVE-2017-0199 in 2023. These attacks mainly targeted sectors with high profit potential, such as banking, government and healthcare.

Detection difficulties

Despite the fact that they have been known for several years, these MalDocs they often slip through the safety nets. They use various techniques to avoid detection, including encryption, strange addresses URL and concealment shellcode. This makes it particularly difficult for automated security systems to detect and neutralize them.

Information about attacks on industries and countries

Attacks on industries

The use of MalDocs that they have been using for a long time CVEs it was particularly prevalent in industries where the potential for data exploitation and financial gain is important. Branches included are:

1. Financial/Banking services: Given the sensitive financial data, this sector is a prime target for cybercriminals. Malware attacks often aim to steal credentials, manipulate transactions, or gain direct access to financial resources.

2. Government services: These attacks usually focus on extracting confidential government information, disrupting public services or espionage.

3. Health care: With access to personal health information and critical infrastructure, this sector is vulnerable to ransomware and data theft.

The MalDocs they are designed to deliver payloads that are at the top of the mainstream malware lists, indicating a strategic and targeted approach by attackers. These payloads they are often part of more extensive campaigns with specific goals, be it financial gain, data theft, or service disruption.

cpatt

Countries that have been attacked

The geographical spread of the attacks is also noteworthy. While the report does not provide specific details on each country affected, it notes that countries of significant economic or geopolitical importance are more likely to be targeted. This may be due to the higher value of the data or systems in these regions or their importance in global affairs.

Highlighted Payloads

The payloads delivered by these MalDocs include several types of malware, each designed for specific purposes:

1. Banking Trojans As the Dridex: Aim to steal banking credentials.

2. Downloaders As the GuLoader: Used to install additional malware.

3. Info stealers like the agent tesla and Formbook: Designed to extract sensitive information such as login credentials and personal data.

The decoys in different attack campaigns

The types of baits

The baits used in these campaigns are cleverly designed to entice the target to open the maldoc. These baits can be:

1. Emails impersonating legitimate communications: Appear as if they come from trusted sources, such as banks or government agencies.

2. Current issues: Exploiting current events or ongoing topics to stimulate curiosity or urgency.

3. Personalized content: Tailored to the target's interests or activities, based on information they have collected.

Tricks to trick the automated ones Sandboxes

Despite the age of these CVEs, The MalDocs have evolved to bypass modern security defenses, especially automated ones sandboxes, through various techniques:

1. Cloaking the malicious code: Using techniques such as encryption and scrambling to hide the true nature of the code.

2. Use of legalese URL and Domain Names: To avoid red flagging the automated systems.

3. Shellcode with Junk instructions: Including irrelevant code or commands to mislead automated analysis tools.

4. Time based execution: Some malicious actions are delayed or triggered by specific user interactions, which may not be reproduced in an environment sandbox.

5. Remote templates and links without extensions: Making it less obvious what the website being contacted will reveal, complicating detection for security solutions.

6. Document formatting tricks: Such as requiring the user to “enable editing” or “enable content”, which can bypass some automated security measures that do not interact with the documents as a user would.

7. Malicious integration payloads in non-executable file formats: As documents of Become or his Excel, which are less likely to be flagged as dangerous compared to executable files.

Evolving tactics

These techniques demonstrate the adaptability of cybercriminals to evolving cyber security measures. The use of well-designed decoys and sophisticated evasion tactics makes it difficult for automated systems to coordinate, necessitating a combination of advanced detection technologies and increased user awareness to effectively combat these threats.

In conclusion, although the said CVE are not new, their continued exploitation underscores the need for continued vigilance in cybersecurity practices. Understanding the targeted industries, countries, and evolving nature of these attacks is critical to developing effective defense strategies against these persistent threats.

Conclusion and recommendations

The continued importance of these legacy vulnerabilities underscores the importance of cyber security vigilance. To mitigate these risks, it is necessary to:

– Update operating systems and applications.

– Be wary of unexpected email messages with links, especially from unknown senders.

– Raise employee awareness of cyber security issues

– Consult security experts for any doubts or uncertainties.

The Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the type of attacks and threats described in this report.

Against CVE-2017-11882:

  • RTF.CVE-2017-11882.gen.TC.*

  • Win32.CVE-2017-11882.TC.*

  • HEUR:Exploit.MSOffice.CVE-2017-11882..TC.

Against CVE-2017-0199:

  • MSOffice.CVE-2017-0199..TC.

  • RTF.CVE-2017-0199..TC.

  • Win32.CVE-2017-0199.TC.*

  • HEUR:Exploit.MSOffice.CVE-2017-0199.gen.TC.*

  • Wins.Maldoc_cve-2017-0199.*

Against CVE-2018-0802:

  • MSOffice.CVE-2018-0802.gen.TC.*

  • RTF.CVE-2018-0802.gen.TC.*

  • Win32.CVE-2018-0802.TC.*

  • HEUR:Exploit.MSOffice.CVE-2018-0802.gen.TC.*

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).