Security Alert: New Wave of Malicious Exploit Kits Are Targeting Microsoft Office

Malware authors continue to look for innovative techniques to spread malware and infect users’ computer. This year, exploit kits were one of the most common methods of infection used by cyber criminals to execute malicious code and take control of PCs and systems. During the past week, various exploit kits turned their attention towards Microsoft Office vulnerabilities. For those who are unfamiliar with this terminology, exploit kits are computer programs designed to detect vulnerabilities in browsers, operating systems and other apps such as Adobe Flash or Microsoft Office, and use them for further malicious activities. They are mostly used in the first stages of a cyber attack in which the attackers scan your system, exploit the vulnerabilities and install malware on the victims’ devices. These type of attacks in which online cyber criminals deliver malware by injecting malicious code into documents and tricking users to open and possibly enable macros in the Microsoft Office package have been on the rise in 2017. The “Word Silent Exploit” is one of the malicious tools that took advantage of two remote code execution (RCE) vulnerabilities existing in Microsoft: CVE-2017-8759 and CVE-2017-11882. Hackers targeted these vulnerabilities which allow them to control the exploited system via a malicious Word document. Here’s how the interface of this tool looks like: Basically, more payloads can be created, which are actually the elements of the malware that perform the malicious action. These payloads will then proceed to apply what they’re programmed to do: collect users financial data and encrypt their sensitive data. The most recent version of this tool is v4.4 and is hosted to a C&C server (sanitized for your safety) on elmod [.] Zapto.org, which is registering the tool for, most probably, malicious purposes. These tools are published and sold via the website (sanitized for your protection) http: //www.elm0d [.] Tk / A quick Google search for the “Word Silent Exploit Builder” will reveal more malicious versions of this tool. Additionally to this “Silent Word Exploit” tool, there are other malicious programs, such as a RAT(Remote Access Trojan) called “EyeSpy” and “Backconnect RAT”, aimed at delivering malicious payloads and inject malware inside Office documents. For this “Word Silent Exploit Builder” program, VirusTotal indicated a low detection rate for AV engines, and only 5 engines  of 68 AV products were detecting the malicious file. Heimdal Security has blocked more than 20 domains for these tools and illegitimate uses. Similar tools with these ones focused on malicious activities are: Office Macro Exploit Builder, AKBuilder, OFEX Exploit, and Ancalog Multi Exploit Builder. Another spam campaign that targeted Microsoft Office was spread via Hancitor, a type of malware that cyber criminals were using to convince users into clicking on a malicious link. The link comes with a specially crafted document and an embedded macro code, which, when opened, activates a VBA  (Visual Basic for Applications) code. In this case, the attack vector is an infected documented which is set to generate lots of downloads of different data types. Here’s how the email is displayed: From: [Spoof / Forwarded Sender Address] / Subject line: New incoming fax from [phone number] / Content (sanitized for your protection): http: // agelessshow [.] com? [ obfuscated email address of the recipient] http: // iaasavesthearts [.] com? [obfuscated email address of the recipient] http: // iaaaward [.] com? [obfuscated email address of the recipient] If users try to click on any of the links above, the following document (eFax_ [6 random digits] .doc) is generated. Hancitor will be downloaded from the following URLs (sanitized for your protection) http: // aboutthebike [.] co [.] uk / wp-content / plugins / all-in-one-seo-pack / 1 http: // aboutthebike [.] co [.] uk / wp-content / plugins / all-in-one-seo-pack / 2 http: // aboutthebike [.] co [.] uk / wp-content / plugins / all-in-one-seo-pack / 3 http: // beyondthebag [.] feed projects [.] com / wp-content / plugins / featured-image-widget / 1 http: // beyondthebag [.] feed projects [.] com / wp-content / plugins / featured-image-widget / 2 http: // beyondthebag [.] feed projects [.] com / wp-content / plugins / featured-image-widget / 3 http: // model hover [.] org / 1 http: // model hover [.] org / 2 http: // model hover [.] org / 3 According to VirusTotal, 30 antivirus engines of 59 managed to detect this spam campaign.

How to protect yourself from exploit kits

Exploit kits may provide capabilities for malicious actors to remotely control the exploited system or application, allowing attackers to create a platform for different malicious activities. The worst part is they often go undetected by traditional antivirus products and you need another security layer of protection to better fight against them.

1. Since exploit kits mostly rely on outdated software or vulnerable software, the first thing we highly recommend doing is keep your software up to date at all times. Make sure you have installed the latest updates, whether it’s automatically or manually. Keep everything patched.
2. Because exploit kits can easily evade antivirus detection, you need to add another layer of security on top of your antivirus products for maximum protection such as a proactive cybersecurity software solution.
3. Always have at least two backups of your essential data on external sources like a hard drive or somewhere located in the cloud: Google Drive, Dropbox, etc. Use this guide to know how to do it.
4.  Don’t open, download email (messages) or click on suspicious links received from unknown sources that could damage your computer.
5. Educate yourself and gain knowledge in the threat landscape, so you can learn how to easily detect cyber attacks. These free educational resources might help you learn things you can apply.

Once again, we emphasize the importance of being proactive and taking all needed security measures to protect your valuable data. Stay safe and don’t click on suspicious links or documents!

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

*This article features cyber intelligence provided by CSIS Security Group researchers.