Hackers Using New Macro-Less Techniques to Distribute Malware

DooKey

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,554
A Malwarebytes security researcher has found a way to embed a specially-crafted settings file in an Office document and this can be used to run malicious code. This kind of exploit is just another example of what's unintentionally available in huge software packages like Windows 10 and Office. At least we have companies like Malwarebytes that are attempting to stem the flood of malware like this or we'd be in sad shape. Fortunately, this new malware vector still requires an individual to open the document in the first place. Word (no pun intended) to the wise is be aware of the source of your documents because these hackers are never going to quit.

The file format, specific to Windows 10 called .SettingContent.ms, is essentially XML code that is used to create shortcuts to the Control Panel.

"This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe. And the rest is history," said Segura.
 
Hasn't office always had this problem of code being run inside. Remember this years ago something similar
 
Galvin said:
Hasn't office always had this problem of code being run inside. Remember this years ago something similar
Click to expand...
Yes but it always changes shape, you can do a lot with Macro's in Office 2016 and 365 and it gives you a lot of reporting power especially in Excel, MS does what it can but that's the problem with powerful tools sometimes they bite you in the ass. Though it will block all macro's by default and you specifically have to then enable editing on the document then enable macro before they can run, I feel anybody who gets snagged by this has 2 stepped their way to failure, unless their macro somehow disables those 2 steps than that needs to get patched fast. Additionally most Exchange servers and O365 mail servers will strip out Macro's from people not on your white list.
 
Lakados said:
Yes but it always changes shape, you can do a lot with Macro's in Office 2016 and 365 and it gives you a lot of reporting power especially in Excel, MS does what it can but that's the problem with powerful tools sometimes they bite you in the ass. Though it will block all macro's by default and you specifically have to then enable editing on the document then enable macro before they can run, I feel anybody who gets snagged by this has 2 stepped their way to failure, unless their macro somehow disables those 2 steps than that needs to get patched fast. Additionally most Exchange servers and O365 mail servers will strip out Macro's from people not on your white list.
Click to expand...
How would macro control help you here?
 
Meeho said:
How would macro control help you here?
Click to expand...
I misunderstood how they were executing the attack, my bad it doesn't in this case. I thought they were forming the XML to run a macro but they are using the XML to run powershell in the background that is completely different. This is what happens when I read complicated topics before finishing the coffee.
 
Seems like you can mitigate this with the "Block Office applications from creating executable content" ASR rule and up to date security definitions.

Set it via GPO.
 
socK said:
Seems like you can mitigate this with the "Block Office applications from creating executable content" ASR rule and up to date security definitions.

Set it via GPO.
Click to expand...

Maybe, maybe not, from TFA: "According to a blog post by Jérôme Segura, a Malwarebytes security researcher, hackers could use an infection vector that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology."

Guess it depends on how the infection bypasses ASR.
 
Dead Parrot said:
Maybe, maybe not, from TFA: "According to a blog post by Jérôme Segura, a Malwarebytes security researcher, hackers could use an infection vector that circumvents the current protection settings and even Microsoft’s new Attack Surface Reduction technology."

Guess it depends on how the infection bypasses ASR.
Click to expand...

From what I saw on some twitter thread -it hinges on you having up to date definitions as well, at that point, it appears to be successfully stopped.
 
Sounds like a Windows problem to me.

l-3009-linux-users-when-asked-what-antivirus-they-use.jpg
 
socK said:
From what I saw on some twitter thread -it hinges on you having up to date definitions as well, at that point, it appears to be successfully stopped.
Click to expand...
Not 100% sure if it is or isn’t, I am reading conflicting statements. In the mean time just added office docs to the list of things not allowed from external non whitelisted sources. Will re allow them once I have a clearer picture of a proper mitigation.
 
DukenukemX said:
Sounds like a Windows problem to me.

View attachment 87014
Click to expand...
Windows 10 problem, and another example of how silly the "better upgrade to 10 if you want to be secure" narrative is, since all the nonsense features and bloatware MS keeps adding are just opening new attack vectors.

Windows 7 and to a lesser extent 8.1 are more secure because they're feature static, MS doesn't screw with them anymore beyond security patches, and the worst exploits were already found and hardened over time.

I only use Windows (8.1) to launch Steam games at this point; everything else I've migrated to Linux Mint. Windows and it's three decades of spaghetti code - plus the crap MS keeps adding to 10 - are the exploit gifts that keep on giving.
 
Last edited:
"The file format, specific to Windows 10 called .SettingContent.ms"

Also 8.1 is more secure than 7 it has bitlocker starting at pro edition and smb 3.0, for those that actually enable it and encrypt file shares in transit
 
rezerekted said:
Windows, the Swiss cheese OS.
Click to expand...

If your doing ALL your work, gaming, (") productivity ;) ("), Downloading etc.. on just one OS install your taking a very big risk especially on something as ubiquitous Windows.

Said it in the Linux Mint thread, but it's worth repeating. For your Banking and sensitive information just run a direct to USB install of an upto date Linux distro, preferably with a light weight DE like XFCE or MATE as all your doing is browser work. Keep the install clean, lock the browser down to a minimum ( clear all data on close / don't login persistently, block JS on everything but the intended site's ) and just only use it for it's intended purpose. Plug it in, do the work and then unplug it and go back to whatever OS you do your shitposting and gaming on.

It doesn't stop certain browser exploits or if your router gets compromised etc.. Nothing is 100% secure but it mitigates a good degree of risk. Takes 15 mins to install, 5mins to configure the browser.
 
Last edited:
DPI said:
Windows 10 problem, and another example of how silly the "better upgrade to 10 if you want to be secure" narrative is, since all the nonsense features and bloatware MS keeps adding are just opening new attack vectors.

Windows 7 and to a lesser extent 8.1 are more secure because they're feature static, MS doesn't screw with them anymore beyond security patches, and the worst exploits were already found and hardened over time.

I only use Windows (8.1) to launch Steam games at this point; everything else I've migrated to Linux Mint. Windows and it's three decades of spaghetti code - plus the crap MS keeps adding to 10 - are the exploit gifts that keep on giving.
Click to expand...
The problem with Windows 10 is that Microsoft doesn't test anything it seems. You are the beta tester, or even Alpha tester. This isn't different for Linux, but you have many eyes on the code, from companies to Bob in his basement. With Windows you have only Microsoft eyes on the code. That isn't enough today to find every bug.

I personally only have 1 Windows 10 machine and that's for gaming. Everything else runs Linux Mint. That 1 Windows 10 is my gaming PC. Everything else isn't focused on gaming.
 
DukenukemX said:
This isn't different for Linux, but you have many eyes on the code, from companies to Bob in his basement. With Windows you have only Microsoft eyes on the code. That isn't enough today to find every bug.
Click to expand...

All non-trivial software has bugs, that's Computer Science 101. You can have all the eyes on code you want, it's difficult or impossible to discover many flaws from static analysis alone as they would only show up at runtime and often only under specific circumstances.
 
heatlesssun said:
All non-trivial software has bugs, that's Computer Science 101. You can have all the eyes on code you want, it's difficult or impossible to discover many flaws from static analysis alone as they would only show up at runtime and often only under specific circumstances.
Click to expand...

It sure doesn’t help when stuff like telemetry is shoe-horned into a decades old codebase and given priority as a “feature”.
 
schoolslave said:
It sure doesn’t help when stuff like telemetry is shoe-horned into a decades old codebase and given priority as a “feature”.
Click to expand...

That decades old code base runs who knows what though. If you have a complex piece of software deployed across the world any developer would naturally want some automation and real time data as too how that software is performing. That's just truth. I'm not saying that Microsoft is handling the situation perfectly or even well but you can't deploy software on the scale of Windows 10 and have no telemetry. That's nuts.
 
You must log in or register to reply here.
Back
Top