Hackers Devise Microsoft Office Infections via CVE-2017-0199 Exploit

Hackers Devise Microsoft Office Infections via CVE-2017-0199 Exploit

MIcrosoft Office CVE-2017-0199 Exploit

Computer hackers are now attempting to infect computers worldwide using a new method that employs the CVE-2017-0199 exploit. The attackers have devised a new method that abuses a function found in in the new releases of Microsoft Office.

Related Story: CVE-2017-7269 Shows Why Running Unsupported Software Is Bad

Microsoft Office Feature Abused Through CVE-2017-0199 Exploit

Security analyst have been able to detect a new dangerous hacker campaign that uses a method of infection. The experts were able to detect abuse of Microsoft Office files which has led to the delivery of malware strains. The unique thing about the incidents is that they used a new strategy by exploiting a new feature that was recently integrated into the Microsoft Office suite.

The actual exploit is described as the following:

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.”

Effectively this allows malware to be inserted in documents by abusing the auto-update of embedded links. This is a new features that is now on by default for any newly created documents. If any external resources are linked in the files the relevant program (Microsoft Word, Excel and etc.) will automatically update them if changes are made.

The infection route follows a classic scenario ‒ the hackers create infected documents using automated means. The files follow a predefined pattern that can be altered at will. The collected samples showcase that the documents are titled “N_Order#xxxxx.docx” where the “xxxxx” denote a randomly-generated number. When opened the embedded links lead to another document (current versions embed a RTF file) which triggers the CVE 2017-0199 exploit. The malware file is hosted on a hacker-controlled download server. The RTF file itself triggers a Javascript-based payload that uses PowerShell to download a hacker-provided malware. A similar attack was reported via a PowerPoint Open XML Slide Show (PPSX) file which delivers a keylogger Trojan that allows the hackers to take over control of the infected machines.

Microsoft Office Malware via CVE-2017-0199 Exploit Analysis

The captured samples associated with the CVE-2017-0199 exploit have been analyzed by the security researchers. It has been found that it impacts a large number of files and folders such as: Microsoft Office templates, Configuration files, User documents, Local settings, Cookies, Temporary Internet Files, Application Data and related.

During the infection process the malware showcases typical browser hijacker-like actions. The virus code extracts sensitive information from the installed web browsers. Depending on the obtained sample the list may include the following applications: Mozilla Firefox, Safari, Internet Explorer, Google Chrome and Microsoft Edge. The type of harvested data can include any of the following: history, form data, bookmarks, passwords, account credentials, settings and cookies.

The CVE-2017-0199 Exploit has been found to initiate a dangerous stealth protection feature by delaying its infection engine. This is an attempt to deceive the anti-virus signatures check as most computer viruses immediately starts to infiltrate the compromised machines.

The Trojan included with the CVE-2017-0199 exploit has been found to report data to the hackers via their own network infrastructure. Other malicious actions include the creation of a malicious Windows startup entry. This means that the Trojan code is started every time the computer boots. Effectively this means that the hackers can overtake complete control of the operating system and the user files.

Related Story: New Infection Method – Hovering Your Mouse on a Link

Consequences of the CVE-2017-0199 Exploit Attacks

As a result of the infections the compromised computers are left with a Trojan instance that can be modified with other versions. While the current attack campaigns have been found to feature the malware in question, we expect to see this feature integrated into exploit kits and botnets. They can distribute advanced ransomware which can cause much more serious damage to the victim computers.

Other possible consequences include the following:

  • Botnet Recruitment ‒ The infected computers can be lured into a worldwide botnet network. When this is done the resources of the victim machines are utilized to spread malware to targets by following a predefined scenario issued by the controlling hackers.
  • Additional Malware Infection ‒ The compromised computers can be infected with other threats as directed by the hackers.
  • Identity Theft ‒ The criminals can use the obtained information along with other files retrieved from the machines to conduct crimes including financial abuse and identity theft.
  • Data Theft ‒ The malware creators can use the Trojan to steal private data of their own choice via the network connection.

Users can protect themselves by employing a state of the art anti-spyware solution. It can effectively guard against all type of computer viruses and related threats and remove active infections with the click of the mouse.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.