New OLE Office Attack Vector
We’ve recently encountered and caught an interesting file sent to one of our customers. In this post, I’ll walk you through this attack and what makes it so interesting. The file I’m going to review(SHA-256 “2a85f00afee44b4aced32f4222fc516d3a1dae856411dfdeafa5c09e44162ea5“) had only four detections on VirusTotal (VT) when caught by our engine, as you can see on VT’s new slick GUI:
Moreover, it appears that some of the signatures are quite generic:
This file uses a feature that was first introduced when CVE-2017-11882 became popular and was exploited in the wild quite frequently. In CVE-2017-11882, attackers used an embedded OLE object that would auto-open Microsoft’s equation editor, exploit a vulnerability in it, and allow remote code execution (RCE). Running the OLE automatically was done using an embedded object with an objupdate feature. A while after that, Microsoft patched the equation editor and published a general recommendation for organizations to disable the equation editor from running.
OLE can be used for either creating objects or containers. They are implemented over Microsoft’s COM (Component Object Model) infrastructure, which provides an interface for exporting functionality and inter-process communication. COM is an integral part of the Windows OS, and this can be used for attackers’ advantage.
Although CVE-2017-11882 was patched, the feature of objupdate remained as is. In the file that we’ve encountered, there’s an inner OLE object with the objupdate feature, but this time – it opens an Excel document that is embedded into the object:
In this image you can see:
- – The start of the OLE object data (the object keyword)
- – The objupdatefeature, which causes this OLE object to run when Word opens
- – The class of the object – sheet.8 (this is padded using spaces and dots)
When Office’s Word opens the .rtf file, it loads the OLE object automatically and sends it to a DCOM (Distributed COM) server to handle the loading of the object, as you can see by the following stack trace:
At the bottom, the OLE object runs automatically, and in turn, calls combase’s SendReceive function to communicate with the DCOM server.
What is a DCOM server? It’s a svchost.exe process that’s launched at Windows start-up and is responsible for DCOM communication. It starts with the command line:
|C:\Windows\system32\svchost.exe -k DcomLaunch|
The svchost.exe handles the OLE request, and opens Excel.exe as it’s sub-process. This makes it harder to detect the behavior dynamically:
When the Excel is opened, it auto-runs macros for infecting the machine.
Now that we understand OLE and how it was used in the file, let’s recap all the steps:
- A malicious .rtfis sent to an organization.
- Upon opening the file, the objupdate feature is utilized to load the inner OLE object automatically.
- The OLE loading is done by the svchost.exe process, that in turn opens Excel as a sub-process.
- The Excel file auto-runs a malicious macro
The Malicious Macro
Let’s have a look at the macro:
The Workbook_Open function mentioned above runs automatically as Excel starts. You can also see that the macro is very obfuscated. The function uses a switch-case (or select-case in VB) on the parameter defined with value 19. By debugging the macro, we find the relevant case:
The called function is a very obfuscated one:
This function opens powershell, which I caught by using Procmon:
Once the powershell is being ran, the attacker gains full control by achieving persistency on the machine and running the malicious code.
Conclusions and Mitigations
In this blog post we dived into a new OLE attack which is getting more and more popular. We’ve already seen this attack at several customer environments, and expect it to become even more common. Another interesting thing to note is that its positive detections on VT jumped from 4 to 23 in less than 24 hours. While it’s nice to know that security solutions are being updated within hours, it’s important to remember that the first few hours during which a malware is released are critical.
What should you do to be more protected?
- – Make sure that macros are disabled in your organization by policy.
- – Don’t open files that you receive via Email if they look suspicious
- – Make sure that you use an attack-agnostic Advanced Threat Protection solution that detects malware from first sight.
To check how protected you are right now, try our online PenTest (it’s a matter of 1 click).