Archive

Archive for the ‘office’ Category

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

June 14th, 2016 No comments

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

 

Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents

 

It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant

 

The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant

 

It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details – downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary

 

The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable

Prevalence

Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence

 

Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)

 

Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 – No prompt from Office when user clicks, object executes
  • 1 – Prompt from Office when user clicks, object executes
  • 2 – No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

 

See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

 

 

Alden Pornasdoro

MMPC

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

New feature in Office 2016 can block macros and help prevent infection

March 22nd, 2016 No comments

Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

 

Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

 

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

 

Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

  1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
  2. Block easy access to enable macros in scenarios considered high risk.
  3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
  2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
  3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

Email with a macro-enabled attachment

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

Word document instructing a user to enable macros to get out of protected view mode

 

However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

Warning message appears in a document if macros can't be enabled

 

James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

 

Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

  1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor, go to User configuration.
  3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
  4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

Group policy settings location

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

 

Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.

Categories: macros, office, spam Tags:

December 2014 Updates

December 9th, 2014 No comments

Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released two Security Bulletins:

 One Security Advisory was revised:

 For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

December 2014 Updates

December 9th, 2014 No comments

Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released two Security Bulletins:

 One Security Advisory was revised:

 For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the December 2014 Security Bulletin Release

December 4th, 2014 No comments

Today, we provide advance notification for the release of seven Security Bulletins. Three of these updates are rated Critical and four are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer (IE), Office and Exchange.

As per our monthly process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, December 9, 2014, at approximately 10 a.m. PDT. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

Follow us on Twitter at @MSFTSecResponse

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the December 2014 Security Bulletin Release

December 4th, 2014 No comments

Today, we provide advance notification for the release of seven Security Bulletins. Three of these updates are rated Critical and four are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer (IE), Office and Exchange.

As per our monthly process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, December 9, 2014, at approximately 10 a.m. PDT. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

Follow us on Twitter at @MSFTSecResponse

Tracey Pretorius, Director
Response Communications

June 2013 Security Bulletin Webcast, Q&A, and Slide Deck

June 14th, 2013 No comments

Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page.  We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, July 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, July 10, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration
 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

November 2012 Bulletin Release

November 13th, 2012 No comments

Security Updates
Today we released six security bulletins to help protect our customers – four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel. For those who need to prioritize deployment, we recommend focusing on these two Critical updates first:

MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in code execution with the current user’s privileges. As such, we recommend the best practice of running applications with the least privileges possible in order to help mitigate potential risks. These issues do not affect Internet Explorer 10.

MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be under active attack. This bulletin affects all supported versions of Microsoft Windows. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded.

Security Update Re-release
In October we released Security Advisory 2749655 that addresses potential compatibility issues due to signature timestamps expiring before they should and noted we would be providing updates as they become available. Today we are providing one such update for MS12-046 (Visual Basic), which is now listed as available in the advisory. We have also released MS12-062 (System Center Configuration Manager 2007) to address an issue in the localization of resource files. Users who have already successfully installed the English versions of this update do not need to take any action.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. For an overview of the bulletins please watch the video below.

 

 

 

We recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in deployment planning (click for larger view).

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

 

Thanks for reading and join us tomorrow (Wednesday, Nov. 14, 2012) at 11 a.m. PST for a live webcast with Jeremy Tinder and myself, as we share greater details about these bulletins. As always, we will answer bulletin-related questions live during the webcast. You may register for that one-hour event here.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Advance Notification Service for November 2012 Security Bulletin Release

November 8th, 2012 No comments

Today, we’re providing advance notification for six bulletins to help protect customers against 19 CVEs. The four Critical-rated updates will address 13 vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework. One bulletin rated Important will address four vulnerabilities in Microsoft Office and finally, one Moderate update will address two issues in Microsoft Windows.

As usual, the bulletin release is scheduled for the second Tuesday of the month, November 13, 2012, at approximately 10 a.m. PST. We recommend that customers review the ANS summary page for more information and prepare for bulletin testing and deployment as soon as possible to help ensure a smooth update process. For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

December 2010 Security Bulletin Release

December 14th, 2010 Comments off

Hi everyone. As part of our usual cycle of monthly
security updates, today Microsoft is releasing 17 bulletins addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint
Server and Exchange. Two of those bulletins carry a Critical rating, while 14
are rated Important and one is rated Moderate.

We’ve assigned our highest deployment priority to the two
Critical bulletins, though we recommend that customers deploy all updates as
soon as possible.

  • MS10-090 This bulletin resolves seven issues — five Critical, two Moderate —
    affecting all supported versions of Internet Explorer, on both Windows clients
    and Windows servers. Among its other updates, it addresses a vulnerability
    previously described in Security Advisory 2458511.
  • MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows’
    OpenType Font driver. All three issues were privately reported and we are not
    aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry
lower severity ratings – including MS10-092, the bulletin that closes out the last known vulnerability exploited by
the Stuxnet malware. To assist in your planning and implementation of the
bulletins, please consult this month’s Deployment Priority chart (click for
larger view).

Jerry Bryant, group manager for response communications,
gives more information about the December bulletins in this overview video:

 

More information about this month’s security updates can
be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help
customers plan for deployment of these monthly security bulletins.

 

We are also releasing updated Malicious Software Removal
Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of
this month’s update.

Finally, we invite everyone to join the monthly technical
webcast to learn more about the December 2010 security bulletin release. The webcast
is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC
-8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking
news and updates on the threat landscape on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Senior Marketing Communications Manager

 

The Get On The Bus tour is coming and we’re bringing some free SWAG!

April 27th, 2010 No comments

The Get On The Bus tour is coming and we’re bringing some free SWAG!


We are giving away 50 copies of Windows 7 Ultimate for the first 50 Get On the Bus event attendees through the door at EVERY STOP! Don’t miss your chance to win a copy of Microsoft’s newest software offering plus some chances at some other great swag so hurry and register today at www.thebustour.com.


What is the “Get On The Bus Tour”? Well, it’s where Microsoft comes to you. We are coming to the East Coast May 21-June 4! Come spend some time with us as we travel the East Coast for a deep dive into Windows 7 and Office 2010, along with a specific path on how to get certified. Learn why Windows 7 has received rave reviews from IT organizations and why so many IT Pros are excited about Office 2010. We will show you best practices for deploying Windows 7 and how to keep it running efficiently after deployment. We will also take a tour through all of the Office 2010 features from an IT Professional’s point of view. Registration is free but limited at http://thebustour.com .


For the latest updates follow us on Twitter @thebustour


Disclaimer:


To receive your free copy of Windows 7 Ultimate, be one of the first 50 people who are US residents (includes D of C) or Canada 18+ to arrive at a Microsoft Get On the Bus Tour afternoon event.  50 copies of the software title are available. Limit one gift per person.  This offer is non-transferable and cannot be combined with any other offer.  This offer ends on June 4, 2010 while supplies last, and is not redeemable for cash.  Taxes, if any, are the sole responsibility of the recipient.  There is no shipment of your gift – all gifts will be distributed onsite.

MDOP 2010, Windows 7, and Office 2010 – Coming to a City Near You!

April 12th, 2010 No comments


 Get on the Bus


 






“Get On the Bus” is back in North America!


 


Montreal, May 21 | Boston, May 24 | New York, May 25 | Philadelphia, May 26 | Washington DC, May 27 & 28 | Richmond, June 1 | Raleigh, June 2 | Charlotte, June 3 | Atlanta, June 4 | New Orleans, June 5


 


www.thebustour.com


 


The Get On the Bus Tour is back home and we’re kicking off our new tour with a visit to Canada! Montreal marks our first location on a 10-city North American road show en route to TechEd in New Orleans, June 7. Come spend some time with us as we tour the East Coast for a deep dive into MDOP 2010, Windows 7 and Office 2010, along with a specific path on how to get certified. Learn why Windows 7 has received rave reviews from IT organizations and is setting records as the fastest selling operating system in history.  Find out why so many IT Pros are eagerly awaiting the release of Office 2010. We will show you both the best practices for deploying Windows 7 and MDOP 2010 and how to keep it running efficiently after deployment.  We will also take a tour through all of the features of Office 2010 from an IT Professional’s point of view. It’s time to join us at a stop nearest you for technical training, professional networking, hands-on experiences, and real world guidance from industry experts sent to you from Redmond. Don’t miss your chance to “Get On the Bus!”


 


REGISTER


For your local event today!


 


Get your Bus Tour updates first! Follow us on Twitter @thebustour