An (un)documented Feature: Attackers Abuse Office Document Software to Profile Potential Victims for Targeted Attacks

Kaspersky Lab experts have discovered a feature in popular document-creation software that has been abused by attackers to launch successful targeted attacks. Using a malicious application that activates when the simple office document is opened,information about the software installed on the victim’s deviceis sent automatically to the attackers, with no user interaction required. This data allows attackers to understand what type ofexploit they should use in order to hack the targeted device.
It doesn’t matter what device the document is opened on: the attack technique works on both desktop and mobile versions of popular text processing software.Kaspersky Lab has observed this method of profiling used in the wild by at least one cyberespionage actor, which the company’s researchers call FreakyShelly. Kaspersky Lab has reported the issue to the software vendor, but it has not yet been fully patched.
Some time ago, while investigating FreakyShelly targeted attacks, Kaspersky Lab’s experts detected a spear-phishing mailing of OLE2-format documents (these use Object Linking and Embedding technology that helps apps to create compound documents containing information from various sources, including from the Internet). A quick preview of the file did not arouse suspicion or mistrust. It included a set of useful tips on how to make the best use of the Google search engine and contained no known exploits or malicious macros. However, a deeper look into the document’s behavior showed that, when opened, the document for some reason senta specific GET request to an external web-page. The GET request contained information about the browser used on the device, the version of the OS, as well as data on some other software installed on the attacked device.The problem was that this web-page wasn’t something the application should send any requests to at all.
Further Kaspersky Lab research showed that the attack works because of how technical information about elements of the document is processed and stored inside it. Each digital document contains specific meta data about its style, text location and source, where pictures for the document (if there are any) should be taken from, and other parameters. Once opened, the office application would read these parameters and then build the document using them as a “map”. Based on the results of the investigation by Kaspersky Lab researchers, the parameter that is responsible for pointing to the location of pictures used in the document can be changed by the attackers through sophisticated code manipulations and make the document report to the web-page owned by a threat actor.
“Although this feature doesn’t enable a malware attack, it is dangerous because it can effectively support malicious activity by requiring almost zero-interaction from the user and being able to reach many people around the world, as the affected software is very popular. So far we have seen this feature used in only one instance. However, given the fact that it is really hard to detect, we expect that more cyberthreat actors may start using the technique in the future,” said Alexander Liskin, Heuristic Detection Group Manager, Kaspersky Lab.
Kaspersky Lab products successfully detect and block attacks conducted with help of this technique.
In order to prevent falling victim to such an attack, Kaspersky Lab experts advise users to implement the following practices:
•To avoid opening emails sent from unknown addresses and to avoid opening any attachments to such emails;
•To use proven security solutions capable of detecting such attacks, like Kaspersky Lab protection solutions.
The full research can be found in the Securelist blogpost, which also includes further deep technical information on the feature.