According to the company Trustwave SpiderLabs, the network has a new type of computer viruses, hiding under the guise of text documents Word. It is distributed by e-mail. Such a method has been practiced by intruders for a long time, but the key feature of the virus was the complete absence of macros, which was not previously encountered.
Earlier, when you opened infected attachments, users saw warnings or pop-ups. In the case of a new virus, this does not happen. With the help of a virus, attackers can “take away” credentials from victim’s email, FTP and browsers. The researchers noted the multi-level nature of the attack, comparing it with a turdaken – a festive dish in which a chicken is placed in a duck, and it, in turn, – into a turkey.
Researchers at Trustwave said the virus uses a combination of methods that begin with an .DOCX embedding. Victims receive by e-mail various letters related to finance. All e-mails discovered by experts included an attachment named “receipt.docx”.
The process of attack with four steps begins with opening the .DOCX file and launching the built-in OLE object containing links. This allows you to refer to external access to remote OLE objects. According to researchers, attackers use the fact that Word documents created with Microsoft Office 2007 use the Open XML format, which is based on XML technologies and ZIP archives. Therefore, such files can be easily manipulated programmatically or manually.
The second step is to use the Word file to start downloading the file with the RTF extension. The latter resorts to the vulnerability of the Office Equation Editor, closed by Microsoft in November last year. The third step is to decode the text inside the RTF file, which in turn runs the MSHTA command line, and it loads and opens the HTA file. The latter contains a script PowerShell, which performs malicious software Password Stealer. This virus steals credentials from e-mail, FTP and browser programs.
Experts noted an unusually large number of stages and scenarios used by this virus. In addition, DOCX, RTF, and HTA files are rarely blocked by mail or network gateways, unlike more obvious ones such as VBS, JScript, or WSF.
Do not forget, you should not open files received from unknown senders.