Exploits and using MS Word to spread the virus

Exploits and using MS Word to spread the virus
4.8 (95.94%) 64 votes

In the end of 2015 the internet was shaken by the serious event, lots of IT resources and security blog started to inform users about new cryptovirus – Locky. There are few reasons why this particular cryptovirus was so dangerous at the time. First of all – it was the method of spreading and selection of the computers. Locky virus was targeting only big, commercial computers to get maximum profit. A lot of companies has become victims of this cryptovirus. Today we will explain to you how it was possible.

General Information

Any virus, Trojan and other malicious software need to get into your PC before it will be able to harm it. While adware and potentially unwanted programs are spreading through the bundle with some legal software and installation files. As for the Trojans, it is not so easy for them to reach your system.

There is such definition as the exploit. Exploits can be divided on local (Local code execution) and remote (Remote code execution). Remote exploits are more valuable for the cyber criminals because RCE gives them an opportunity to run malicious code on your machine remotely. They are usually using such popular software as browsers for this approach. This method of attack is called “drive-by-download”. Bug and errors usually appear not in the browser but in its popular add-ons like a Flash player(favorite), Java, Silverlight.

How does it work?

User visits a website that has been compromised by hackers, or a hidden malicious element (Iframe) was placed there. When the browser’s and system’s version is determined and if they are suitable for the planned attack – a specially generated code for a flash player (or other vulnerable extensions) appears, and the user unwittingly becomes a victim. Trojan is already in the system. Such attacks are very efficient with large amount of traffic.

Fortunately, there are some obstacles for the cyber criminals. Modern Chrome and Firefox browsers are using “sandbox” security mechanism (especially Chrome), which is very difficult to break, and it is not suitable for the mass use. RCE in Chrome will cost several million dollars and security services will probably pay their attention to it. The main source for “drive-by-download” attacks is the Internet Explorer. Bundles of exploits, which are sold on the darknet, are the proves of this fact. Example Rig 3.0:

RIG exploit virus
Pic 1. RIG 3.0 expliot kit on darknet.

This is the main reason why now hackers prefer the spam messaging through emails with the using of social engineering (SI) and malicious documents (MS office Word) with macros or LCE exploits for Microsoft Office and Adobe PDF reader. There are a variety of baits to make the user run some infected file. Let’s take a closer look at this process!

Exploits in MS Word

There are some versions of Microsoft Office that are vulnerable. Of course, the bugs have been fixed immediately, but not all users like to update software. Attack’s scenario is the same from time to time. The user receives a letter with the bait. For example, with the theme “Your bank statement” and some attached document with a name “Invoice”. There were stories when one person in the office couldn’t open such attachment and sent it to all his colleagues – as the result, all machines were infected. Sometimes the attack is aimed at a particular person. In this case, the attacker would send test emails to find out the interests of the victim, or gather his personal data in the social networks profiles.

The malicious document, with the LCE exploit, will work as soon as the user opens it if his browser/system’s version is vulnerable.
Here is an example of such popular exploit kit Microsoft Word Intruder (MWI) on the darknet in Russian community (translation):


MWI PACK - a profession "delivery tool", exploit-pack based on the most popular 1-day vulnerabilities of Micro-
soft Office Word. The document generated by MWI may contain 4 different exploits at once: 

1. CVE-2010-3333
2. CVE-2012-0158
3. CVE-2013-3906
4. CVE-2014-1761

The executable file may be wrapped inside of a body of a document or be downloaded from web-server by URL.
Supports DLL.

What difference between this exploit from others:

- Uniqueness

MWI - is the only choice on .doc exploit market which allows you to attacks several vulnerabilities simultaneously.
Such method increases your chances on a success and attacks from two different vectors: Operation system and
official software pack. MWI - the first and the only solution on the market.

Сheaper (and, that’s why, more popular) method is the using of macros for MS Office. It supports the VB (Visual Basic) scenarios embedding.
These files have the extension such a: .doxm, .docx
By default they are disabled, but when the user opens the document, a pop-up window shows up:

Locky macro virus, Exploits
Pic 3. Example of malicious document for Locky crypto-locker.

In conclusion

The most important thing for the hacker in this process is to make the bait which will work. For example, a user is interested in viewing such type of documents. After he opened it he sees an encoding problem, like on Pic 3 above. User enables macro to view the whole document – in fact, it is the script which has loaded a Trojan into the system. The most important thing in this attack scenario is to make user interested in opening the infected file. Such attacks can take several months, but they are too popular and too many people know about them.

This is not the end, hackers will look for new methods, new ways to deceive a person and make a lot of money on simple extortion! You should be aware when opening email attachments, always pay attention to what you download and install!