Proofpoint: Microsoft Word Intruder 8 Adds Support for Flash Vulnerability
Researchers from Proofpoint have issued a warning following an analysis of Microsoft Word Intruder (MWI), a kit designed for building malicious Microsoft Word documents for use in targeted attacks.
In a blog post on the firm’s website, Proofpoint staff said the most recent iteration of MWI (Version 8) supports a wide variety of vulnerabilities that actors can exploit via crafted Microsoft Word documents, notably CVE-2016-4117 (Adobe Flash Player up to 22.214.171.124).
Proofpoint observed this updated version in the wild dropping various payloads; for example, RTM Banker on October 21. In this case, the document “business project laveco price.doc.rtf” was delivered via email and targeted at retail, financial, and manufacturing verticals.
The Adobe Flash Player zero-day CVE-2016-4117 itself was discovered by FireEye, and was first used by an APT actor named “ScarCruft”, as described by Kaspersky. The exploit was later integrated into multiple exploits kits.
“When we examined the MWI CVE-2016-4117 addition, it appears that this exploit document builder reused the original exploit code without modifying anything except the shellcode. The first Flash file decrypts a second Flash file, which triggers the vulnerability,” Proofpoint staff wrote.
Available on underground markets since 2013, MWI is an example of the sort of sophisticated crimeware used to develop attacks.
“Microsoft Word Intruder has been around for a while and version 8 adds to its functionality,” Javvad Malik, security advocate at AlienVault, told Infosecurity. “In terms of its use, MWI has always been touted as one of the more targeted tools, marketing itself to the discerning stealth hacker. Or in other words an APT for the masses.”
“Crafted Word documents are probably most often used in phishing campaigns to gain access to a victim’s computer by getting them to open a malicious attachment,” added Tripwire security researcher Craig Young. “Attackers apply social engineering tactics to convince email recipients to open an attachment. Organizations or individuals handling Word documents would probably have a higher risk of being targeted.”
It is important to keep Office, Flash, Windows and other software up to date with the latest security fixes and to disable macros in Office, Young continued.
“Don’t open Word documents that aren’t from trusted sources. If a document must come from an untrusted source, consider using VirusTotal and make sure Word is configured with restrictive settings. It may be advisable to sandbox document viewing through a cloud infrastructure or within a virtual machine.”
Source: Information Security Magazine