According to sources, a phishing campaign has been initiated by attackers with the email subject ‘Fwd: BL’. An attached Word Document/Excel Spreadsheet executes pre-defined commands and delivers malware to the targeted system. The malware then exploits the CVE-2017-0199 vulnerability in windows.
Earlier this year, a reputed information security company had disclosed that Microsoft Office RTF documents could be used to deliver malware further exposing windows based systems to remote code execution vulnerability. This vulnerability is tracked as CVE-2017-0199 and has been patched by Microsoft so it is pretty evident that the computers that are getting infected by this vulnerability are the ones that have not been updated with the fixes.
The email with the specially crafted attachment has been circulated from the sender pedro.estaba@cindu.com.ve but there are possibilities that the email could be sent by other senders too. However, it is most likely that the contents of the email could be the same as mentioned below.
FYI,
Please find attached scanned shipping documents that our client demanded that we should forward to your company. Please contact our agency with the above information mentioned in our scanned BL.
Thanks and Best Regards,
Officina Meccanica Tomè Roberto Via Bellasio 15 33084 Cordenons PN
Tel: 0434 40472 Fax: 0434 40609 cell: 348 3044372
e-mail: assistenza@tomeroberto.it
Microsoft had released patches in April, 2017 that fixed the remote code execution vulnerability tracked as CVE-2017-0199. If these fixes are not applied, then the system can get infected by the malware payload on just pre-viewing the word document.
The Email Attachment:
According to threat intelligence reports, the email attachment could be a word document or a excel spreadsheet. These documents could either have an embedded OLE object or a macro script that could run a chain of commands causing windows based computers to get infected with the malware. The phishing campaign that has targeted numerous computers until now is said to have affected windows based computers. So far Mac, IPhone, IPad, Blackberry, Windows phone or Android phone has not been affected by attacks that exploit CVE-2017-0199 vulnerability.
Microsoft Office Safety Measures:
MS Office version 2010 and higher do have default security settings that are meant to protect users from attacks. However, one can double check the settings of MS Excel and word document which should have its protected view enabled and macros disabled. A document or a spreadsheet can be read in protected view which reduces the possibilities of the spread of virus and malware. Macros allow executing instructions and commands in MS excel and word document to ensure that a task is completed automatically. Users must also ensure that they do not enable editing which could trigger an attack.
Malware Payload Analysis:
The security analysis of Export.doc confirms that a HTA file is downloaded from http://birsekermasali.com/hta/docs.hta. This HTA file has pre-defined commands loaded to it that triggers the download of http://birsekermasali.com/js/boss/payment.exe
The allfiles.hta initiates the download of http://birsekermasali.com/js/boss/invoices.exe
kelly.hta triggers two downloads http://birsekermasali.com/js/kels/docs.exe and http://birsekermasali.com/js/kels/dates.exe
Click here to view the Deployment information of Microsoft update that addresses the CVE-2017-0199 vulnerability.
Get in touch with us for cybersecurity needs.