Researchers warn of a Windows Zero-Day Attack observed in the wild

Security researchers from firms McAfee and FireEye are warning of a Windows zero-day attack in the wild that put Microsoft users at risk of hack.

Security researchers from security firms McAfee and FireEye are warning of hackers exploiting a Windows zero-day vulnerability in the wild.

Just opening an MS Word document could put you at risk, the exploitation of the flaw could allow an attacker to silently install a malware on a fully patched Windows machine.

The attack vectors are malicious emails that come with a weaponized Word document containing a booby-trapped OLE2link object.

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script.” reads the analysis shared by FireEye. “In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link. “The vulnerability is bypassing most mitigations”

When the user opens the document, the malicious code is executed, it first connects to a remote server to download a malicious HTML application file (HTA) that’s masquerading as a document created in Microsoft’s RTF (Rich Text Format).

The HTA file is automatically executed automatically with attackers gaining full code execution on the target machine, downloading additional malicious payloads to fully compromise the machine.

The Windows zero-day attack leverage on .hta content that is disguised as a normal RTF file to evade security solutions, but researchers at McAfee spotted the malicious Visual Basic scripts in a later part of the file.

The exploit displays a decoy Word document for the victims to see before terminating to avoid suspicion.

“The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.” reads a blog post published by McAfee.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)”

This Window zero-day attack is very insidious, it doesn’t require victims interaction, for example, it doesn’t need victims enabling Macros.

The Window zero-day attack works on all Windows OS version, even against Windows 10.

The security firm reported the Windows zero-day attacks to Microsoft back in January 2017, for this reason, McAfee decided to publicly disclose the vulnerability and a day after also FireEye made the same.

This Tuesday Microsoft will release security updates, let’s hope the company will address also the zero-day exploited in the wild.

Below the recommendations to mitigate such kind of Windows zero-day attack:

Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Windows zero-day attack, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.