What Is It?
A recent MalwareBytes blog entry describes a multi-stage attack which results in a commercially available Remote Access Tool (RAT), called Orcus Rat, being downloaded and installed.
The first stage of this attack, a Microsoft Word document, is interesting in that it requires no interaction by the user. It utilizes the hyperlink function available in the OpenXML format. Simply opening this document results in the automatic download of a malicious RTF document.
The RTF document exploits CVE-2017-8759, a vulnerability patched by Microsoft in September 2017 which has also been utilized by attackers to spread FINSPY malware. In this case, the exploit results in a Powershell command which downloads and executes the RAT.
How Does It Propagate?
The malware is spread using a spam campaign containing the malicious Word document, which in this case, all it needs to do is convince the user to open the document. As always, end user education is a critical component of securing any corporate environment. It also highlights the importance of timely patching, if the patch released by Microsoft in September has already been applied this attack will fail.
When/How Did BluVector Detect It?
There are three stages to this attack, the initial Word document, the RTF document and the RAT executable. All three files were identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown the files would have been detected by BluVector 4, 22 and 46 months respectively prior to them being released.