There is a macro-like infection method attackers could use on the Microsoft Object Linking and Embedding (OLE) system.
The infection could entice users into running malicious scripts.
OLE is proprietary Microsoft technology used in some of the company’s software products, which allows users to embed or link to various types of content inside the software.
Last month, Microsoft officials said its security products started picking up malicious documents attached to spam email that leveraged OLE objects.
Users who downloaded and opened the Office documents received the same message seen with many macro malware campaigns.
Attackers said the file required “human verification” and the user needed to double-click the big icon at the center of the document.
Both scripting languages have support in Windows and have access to powerful system-level commands.
For this particular campaign, the malicious scripts downloaded an encrypted binary. The scripts also managed to bypass network-based protections designed to detect malicious data formats.
The scripts then saved the encrypted binary on disk, decrypted its content, and executed it, effectively installing either the Vibrio or the Donvibs Trojans.
These two are malware droppers, designed for the sole purpose of getting an initial foothold and then downloading more potent malware after they gained boot persistence on the target’s machine. Microsoft said in this case, the final payload was the Cerber ransomware.
The OLE attack approach relies on social engineering, since a user still needs to click and approve the execution of malicious code, just like users have to enable macro support in Office docs.
Unlike macro malware, the OLE attack has novelty on its side, as most users won’t know that, by allowing the JS and VBScripts to run, they are exposing themselves to malware infections.
Microsoft published instructions on how to avoid getting contaminated with malware via malicious OLE objects.
The company recommends administrators find and edit the following registry key to all their workstations: HKCUSoftwareMicrosoftOffice< Office Version >< Office application >SecurityPackagerPrompt.
The value of < Office Version > can be 16.0 (Office 2016) ; 15.0 (Office 2013) ; 14.0 (Office 2010) ; or 12.0 (Office 2007). The value of < Office application > is the Office application name, usually Word, Excel, and the rest.
The values of the registry key should be “2,” Microsoft said. The value “2” means “No prompt, Object does not execute.” The value of “1” means “Prompt from Office when user clicks, object executes” while “0” stands for “No prompt from Office when user clicks, object executes.”
Click here for more details.