Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of targeted attacks over the past two years.
Detection is improving, but resourceful hackers find new ways to get into networks. One new way in to using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.
Over a three-month period researcher Mila Parkour collected 90 RTF files, with quite a few with China-related file names and many targeting specific industries. All of them exploiting CVE-2012-0158, a vulnerability in Active X controls within MSCOMCTL.OCX, OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.
Some of the samples found are difficult to examine, said Lenny Zeltser, a handler at the SANS Internet Storm Center. Some contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting.
That is where German security researcher Frank Boldewin, who oversees the OfficeMalScanner toolkit, comes in. He updated the freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.
“The tool is fantastic for analyzing malicious RTF files,” Zeltser said. “Attackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it’s exploited, what happens next.”
In one case on the ISC Diary today, RTFScan was able to find an embedded OLE object that included the attacker’s shellcode that would execute by a vulnerable Word doc, Zeltser said. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.
“RTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,” he said. “This would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrinking and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.”