Cybercriminals Use an Undocumented Word Feature to Collect System Profile Data
A newly discovered and undocumented Microsoft Word feature enables attackers to gather information on their target systems by tricking victims to open a specially crafted Word document. But nope, there's no involvement of the infamous macros, any security vulnerabilities or embedded Flash objects. This new attack vector uses an Office feature called INCLUDEPICTURE as part of a multi-stage attack with the first step focused on gathering information on target's system configuration and application data.
"What did the bad guys want with that information? Well, to ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them," Kaspersky Lab wrote in a report published today. "In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit."
When macros are no longer "cool" in the world of cybercriminals...
The previously undocumented feature is seen in Microsoft Word for Windows and Microsoft Office for iOS and Android. Researchers first spotted this new attack when they observed several spear phishing campaigns that contained attachments that didn't seem malicious at first, due to the exclusion of any malware techniques that have been previously associated with Word. The emails contained attached Word documents in OLE2 (Object Linking and Embedding) format that contained links to PHP scripts on third-party web resources.
Using this document, attackers were able to create a field in a document that pointed to the graphic file instead of embedding it directly in the document. On further research, the team found the field “INCLUDEPICTURE” that was using Unicode as part of its instructions and not ASCII format as was expected. Using the former, the document was able to manipulate the code to trigger GET request to malicious URLs contained within the underlying code of the same Word document, with the links pointing to the aforementioned PHP scripts.
"This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed," the security researchers wrote. The team, however, had difficulty to understand what INCLUDEPICTURE was doing at first since they couldn't find any official description or information on how it should be interpreted.
Researchers added that this new attack mechanism uses a complex and sophisticated process using hidden Word features to remain undetected to profile potential victims. "In other words, they [attackers] perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks."