Hackers are getting around security protections in Microsoft Office applications with new techniques that use no macros.

Hackers are getting around security protections in Microsoft Office applications with new techniques that use no macros.

 

According to a blog post by Jérôme Segura, a Malwarebytes security researcher, hackers could use an infection vector that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology.

 

“By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification,” he said.

 

The file format, specific to Windows 10 called .SettingContent.ms, is essentially XML code that is used to create shortcuts to the Control Panel. 

 

“This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe. And the rest is history,” said Segura.

 

This research follows on from a discovery by security researcher Matt Nelson. In the intervening weeks since the discover, FireEye security researcher Nick Carr has been tracking such attacks with a number of updates on Twitter. 

 

Carr said that the latest examples will download and run a file containing a remote access trojan called Remcos.

 

Segura said that while there has been little development with web exploit kits, there has been a lot of activity with document exploit kits such as Microsoft Word Intruder (MWI) or Threadkit.

 

“These toolkits allow attackers to craft lures and embed the exploit(s) of their choice before either spear phishing their victims or sending the file via larger spam campaigns. At the same time, it looks like classic social engineering attacks aren’t going anywhere anytime soon and will keep capitalising on the human element,” said Segura.



Source link

NO COMMENTS

LEAVE A REPLY