New attacks via corrupted Word, Excel, Publisher and Outlook documents – Windows Mac and Linux devices.

New attacks via corrupted Word, Excel, Publisher and Outlook documents – Windows Mac and Linux devices.

article by: at: 10th Nov 2017 under: Go Systems Blog

APT28 is Malware from a well-known Russian Cybercrime Business. The striking characteristic is that it is able to drop a payload individually designed for:

  • Windows
  • Linux
  • Mac devices

Note: Apple is very locked down and to develop Malware for Mac costs a fortune, but when they hit the designated target, it’s jackpot time for Cybercriminals. Senior executives are what they are after.

Advanced persistent threats are designed to evade traditional security tools and remain hidden within an organisation for as long as possible collecting data.

Since the Apple ecosystem is so tightly integrated between Mac OS for notebooks and iMacs etc. plus their phones this is seen to be a major issue. It is designed to also steal iOS backups from the iPhones thereby getting access to any data stored on the devices.

Macs are no longer immune.

The advisory notes that attacks can take place via email and corrupt Word, Excel, Publisher and Outlook documents. An attack is conducted through email when an attacker sends the intended victim a specially crafted file with a name designed to entice the victim to open it. Unlike other attacks that use Word docs, with DDE the victims do not have to manually enable macros for the payload to download. Instead, infection happens automatically.

What is DDE?  It is a standard allowing data to be shared between different programs such as Excel. Say a cell in an Excel spreadsheet shared by another program and if that cell changes then you get notified when it changes.

  1. Do not open suspicious email attachments or to manually create and set registry entries for Microsoft Office. The latter task should only be handled by someone familiar with the system because if Registry Editor is used incorrectly the operating system may have to be reinstalled.
  2. An attack through Publisher would likely take place using a Word document, so the Word mitigation will solve this problem as well.
  3. Excel documents require DDE to open, but this can be disabled by going to Set File->Options->Trust Centre->Trust Centre Settings…->External Content->Security settings for Workbook Links = Disable automatic update of Workbook Links, Microsoft said. However, disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry, Microsoft noted.
  4. Outlook can also be adjusted through the Registry Editor, but this will disable automatic updates for the DDE field OLE links. These updates will have to be completed manually.

Earlier this year, researchers at SensePost determined that DDE could be essentially exploited to execute malicious code in Microsoft Word.

Microsoft reportedly chose not to act on the findings, calling this functionality an intentional feature. However, SensePost noted in a blog post that Microsoft said it would consider reclassifying the feature as a bug in the next version of Windows.

Be wary of emails with these types of  attachments.

Action: Move your emails into Cloud with high threat protection included. What this means is any attachments are opened by Microsoft before they reach your desktop and anything suspicious most likely not come through. Ask us how with ATP.