PSA: New Microsoft Word 0day used in the wild

PSA: New Microsoft Word 0day used in the wild

Microsoft has just patched an important vulnerability in Microsoft Word during its latest patch Tuesday cycle. According to the security firm that found it [1], this new zero-day (CVE-2017-8759) was used in targeted attacks to install a piece of malware known as FinFisher.

Microsoft Office has been in the line of fire throughout the year with malware distributors employing various social engineering techniques to trick users into opening up booby-trapped documents laced with exploits or macros. Indeed, while drive-by download activity has plummeted, malicious spam has been the dominant threat.

In this blog post, we do a quick review of this latest exploit and how future attackers are likely to add it to their own campaigns.

Infection flow

CVE-2017-8759 leverages an improper validation in a parsing module of the Web Services Description Language (WSDL) which leads to arbitrary code injection and execution. As we have seen it many times in previous attacks, mshta.exe is used to retrieve a script and eventually the malware payload.

Figure 1: Traffic view showing script and payload retrieval

Figure 2: Process view showing infection technique

Payload delivery implications

Depending on how the malicious document is delivered, it can require little or no user interaction in order to infect the target. In the former case, the document could be downloaded from a website or come as spam. It would bear the Mark of the Web and be flagged. In the latter case where the document was packaged – for example using 7zip – it could lose that MotW [2].

Figure 3: Side-by-side comparison of the same file, distributed differently.

In the first case, the user will be prompted to “Enable Editing” (which admittedly is less suspicious than enabling macros). This, in turn, will trigger the malicious code to execute.

Figure 4: CVE-2017-8759 attempt blocked (Protected View mode)

In the second case, where the MotW has been lost, the malicious Word document will immediately run its payload:

Figure 5: CVE-2017-8759 attempt blocked (normal mode)

If you haven’t done it yet, we strongly advise you to run Windows updates and apply the latest security patches. If experience serves well, each time a new zero-day is exposed, other online criminals jump in and rush to add it to their arsenal. This means that what was a small and targeted attack can all of the sudden become a widespread campaign.

Malwarebytes users were already protected against this exploit when it was still a zero-day. Additionally, we detect and block the FinFisher malware payload.

References

[1] FireEye, https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html

[2] Eric Lawrence, https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/

Indicators of compromise

Malicious Word document:

0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684

FinFisher:

b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8

Network traffic:

91.219.236[.]207/img/office.png 91.219.236[.]207/img/word.db 91.219.236[.]207/img/left.jpg

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher