Hackers using new macro-less techniques to distribute malware

By
Hackers using new macro-less techniques to distribute malware

Hackers are getting around security protections in Microsoft Office applications with new techniques that use no macros.

Hackers are getting around security protections in Microsoft Office applications with new techniques that use no macros.
 
According to a blog post by Jérôme Segura, a Malwarebytes security researcher, hackers could use an infection vector that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology.
 
"By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification," he said.
 
The file format, specific to Windows 10 called .SettingContent.ms, is essentially XML code that is used to create shortcuts to the Control Panel. 
 
"This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe. And the rest is history," said Segura.
 
This research follows on from a discovery by security researcher Matt Nelson. In the intervening weeks since the discover, FireEye security researcher Nick Carr has been tracking such attacks with a number of updates on Twitter. 
 
Carr said that the latest examples will download and run a file containing a remote access trojan called Remcos.
 
Segura said that while there has been little development with web exploit kits, there has been a lot of activity with document exploit kits such as Microsoft Word Intruder (MWI) or Threadkit.
 
"These toolkits allow attackers to craft lures and embed the exploit(s) of their choice before either spear phishing their victims or sending the file via larger spam campaigns. At the same time, it looks like classic social engineering attacks aren’t going anywhere anytime soon and will keep capitalising on the human element," said Segura.
Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

Hackers using brute-force attacks to infiltrate e-mail systems protected by MFA

Hackers using brute-force attacks to infiltrate e-mail systems protected by MFA

Re-designed Gmail poses new potential threat to 1.4 billion users

Re-designed Gmail poses new potential threat to 1.4 billion users

GitHub now warns you about flaws affecting your Python code

GitHub now warns you about flaws affecting your Python code

My Health Record: the case for opting out

My Health Record: the case for opting out