A few weeks ago, a security researcher reported a flaw that affects all versions of Microsoft Office that could be exploited by attackers to spread macro-based self-replicating malware.
Microsoft promptly implemented a security mechanism in MS Office that prevents such kind of attacks.
Now the researcher from the security firm InTheCyber Lino Antonio Buono has found has devised an attack technique to bypass the security control implemented by Microsoft and create self-replicating malware hidden in MS Word documents.
Buono reported the flaw to Microsoft in October, but unfortunately, the tech giant doesn’t consider the issue a security vulnerability. Microsoft explained that the feature exploited by the Italian researcher was implemented to work exactly in this way.
The worst news is that crooks are already exploiting the same attack vector devised by Buono.
A couple of days ago, malware researchers from Trend Micro detailed a recently discovered macro-based self-replicating ransomware dubbed ‘qkG‘ that exploits the same MS office feature used by Buono in his attack technique.
“Further scrutiny into qkG also shows it to be more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild. This, however, doesn’t make qkG less of a threat. As the qkG samples demonstrated, its behaviors and techniques can be fine-tuned by its developer or other threat actors.” states the analysis published by Trend Micro.
“When we first saw samples of it in VirusTotal last November 12, for instance, it didn’t have a Bitcoin address yet. It had one only two days later, along with a routine that encrypts a document on a specific day and time. The next day, we saw a qkG sample with a different behavior (viz., not encrypting documents with a specific file name format).”
The qkG ransomware relies on the Auto Close VBA macro technique to execute malicious macro when victim closes the document.
Although the first variant of the qkG ransomware did include a Bitcoin address, the latest sample analyzed by Trend Micro includes it and demands $300 in BTC.
Experts observed that the Bitcoin address hasn’t received any payment yet, a circumstance that suggest crooks still haven’t spread it in the wild.
Experts also discovered the qkG ransomware is currently using the hardcoded password “I’m QkG@PTM17! by TNA@MHT-TT2” that allows to decrypt the files.
Buono shared a video PoC of the attack technique with colleagues at The Hacker News. The video shows how an MS Word document embedding malicious VBA code could be used to deliver a self-replicating multi-stage malware.
Microsoft has untrusted external macros by default and to restrict default programmatic access to Office VBA project object model. Users can manually enable “Trust access to the VBA project object model,” if required.
Once the “Trust access to the VBA project object model” setting is enabled, MS Office trusts all macros and automatically runs any code without showing any security warning or requiring user’s permission.
Buono discovered that it is possible to enabled/disabled the “Trust access to the VBA project object model” setting by editing a Windows registry, eventually enabling the macros to write more macros without the user’s consent and knowledge.
The malicious MS Doc file crafted by Buono that is used in the video PoC first edits the Windows registry and then injects the same macro payload (VBA code) into every doc file that the victim manipulates.
The Buono’s attack technique just sees attackers tricking victims into run macros included in a bait document.
“In order to (partially) mitigate the vulnerability it is possible to move the AccessVBOM registry key from the HKCU hive to the HKLM, making it editable only by the system administrator.” Buono suggests as mitigation strategy.
(Security Affairs – Self-Replicating Malware, ransomware)