Reported by: Acronis (TRU) just published a comprehensive investigation that reveals a highly sophisticated malware operation targeting Taiwan's growing drone industry. Dubbed "WordDrone," the malware deploys a version of Microsoft Word from the 1990s to install a persistent backdoor-the kind of threat that puts the security of companies in Taiwan's growing drone industry in real jeopardy. At this stage, one suspects that strategic military and technological positions of Taiwan provide the rationale behind this breach designed to extract critical information. It is during times when investments by the government in drone technology are accelerating.
How WordDrone Operates
A new malware uses the side-loading technique by which it involves a vulnerable version of Microsoft Word 2010. Using a compromised version of Word, attackers loaded three files on the target system: a legitimate copy of the Microsoft Word application, known as winword, a malicious DLL file named wwlib.dll, and an encrypted additional file with a random name.
Then, an unconscious download of the malicious DLL by running the benign Microsoft Word file becomes a delivery method to decrypt and run the real payload of malware. This technique is the exploitation of the weakness within how older versions of Microsoft Word treat DLL files: the malicious DLL can actually masquerade as part of Microsoft Office. Such an approach will make WordDrone virtually impossible for any traditional security tool to detect and block since the files that are infected look legitimate to most detection systems.
Detection Evasion Advanced Tactics
Moreover, many of the malicious DLL files are digitally signed using highly recently expired certificates. This kind of approach, a disguise for legitimacy, many security systems employ to verify software, makes detection much more difficult. This strategy gives WordDrone an advantage bypassing defences based on trusting signed binaries, which makes it rather difficult to detect.
After running it, the threat performs a stage of well-crafted operations. The payload begins with a shellcode stub that unpacks and injects an "install.dll" component creating persistence on the affected system. The install.dll file allows malware to be present even after reboots by various techniques: it can install malware as a background service, schedule it as a recurring task, or inject the next phase of malware execution, and does not need permanent installation.
Persistence and Defense Evasion Techniques
It applies advanced techniques in a way that it stays non-observable and keeps running. Its techniques begin with NTDLL unhooking, which disables the setting of security hooks by monitoring software and re-loads a fresh instance of the NTDLL library so that security tools cannot intervene with that. In addition to that, it keeps the EDR quiet. This scan for active security processes sets up blocking rules within Windows Firewall to dampen the functions of identified security tools, effectively disabling detection capabilities that may raise defences against its presence.
Command-and-Control (C2) Communication for Remote Control
Another advanced feature about WordDrone is the ability to communicate with a C2 server, meaning the attackers can control the malware even after it is installed. The communication schedule is hardcoded within the malware by implementing a bit array that states some active hours in a week. The malware requests from the C2 server additional details or more malicious files during active hours based on such a routine.
WordDrone can function over several communication protocols including TCP, TLS, HTTP, HTTPS, and WebSocket, which all make identification and analysis much more difficult of the malware's network activities. Its use of a custom binary format for its communication makes it even more challenging to intercept or to interpret its network traffic for cybersecurity teams.
Possible Supply Chain Attack and Initial Infection Vector
The entry point of the WordDrone malware is not clear. Initial analysis, however, showed malicious files under a well-known Taiwanese ERP software's folder. That makes it likely that the attackers have also compromised the ERP software as part of a supply chain attack, possibly exposing other organisations that make use of the software in different marketplaces.
The attack by WordDrone on the Taiwanese drone industry is an example of vulnerabilities that sectors of strategic importance have to face. Ongoing vigilance from cybersecurity experts gives caution, as defence and technology-related organisations try to win the technological battle with such persistent threats.
