Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files


Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

 

Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents

 

It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant

 

The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant

 

It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details - downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector - it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary

 

The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable

Prevalence

Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence

 

Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)

 

Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 - No prompt from Office when user clicks, object executes
  • 1 - Prompt from Office when user clicks, object executes
  • 2 - No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

 

See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

 

 

Alden Pornasdoro

MMPC

 

Comments (10)

  1. Martin Zonderland says:

    Does Applocker prevent this attack? When scripts has only whitelisted folders where to run?
    Or other kind of software like RES Workspace Manager when using Whitelisting?

  2. adwbust says:

    Pls check submission ID 5edacf72-ce51-4451-9ce7-32f4fdca91db
    Its htm sample that should be detected as html/phish! It was an attachment in spam/phish mail! Phish mails now dont contain links but htm attachments! Smartscreen is useless in this case unless you block htm download or open htm in offline (protected) mode!

  3. Tim Bailen says:

    I was curious if setting this restriction through the registry would affect Office documents embedded in other Office documents, so I tested and it does not. You can still interact with embedded documents. The registry setting did block embedded VBS as expected.

  4. adwbust says:

    why is my comment on undetected phish htm still in moderation? blockading my comments now?!

    1. msft-mmpc says:

      Sorry adwbust, we just have to manually review and publish every comment and sometimes this takes some time. They should all be published now.

      1. adwbust says:

        My submission has yet to be analysed!

        Can you pls at least have smartscreen block “hopscotch(dot)tw”? Thats where the htm sends the credentials.

  5. Tobie Fysh says:

    Does Office 365 Advanced Threat Protection on email (detonating the contents of an email) protect against this?

  6. Justine Bhandary says:

    @mmpc: thank you for this article. Would REG_DWORD PackagerPrompt be understood by Office 64-bit applications?

    @Tim Bailen: thank you for your evaluation and confirmation that this setting does not block embedded Word documents. Did you evaluate other formats?

  7. Ryany says:

    Hello, thanks for the great article! Unfortunately, this registry setting does not work for me. The “1” value works for me as expected, but the “2” value has the same effect as the “0” value. Any suggestions on how to fix this would be much appreciated. I am running office 2013 on server 2008r2

    1. Ryany says:

      After further testing I have found this defect only in excel. Word, PowerPoint, and Publisher all work as correctly. Thanks!

Skip to main content