The exploit that attackers are using to target a zero day vulnerability in Microsoft Word relies on a complex series of pieces, including an ASLR bypass, ROP techniques and shellcode with several layers of tools designed to detect and defeat analysis. Microsoft officials said the exploit is being used in targeted attacks right now and attackers are employing it to drop a backdoor on vulnerable machines.
The vulnerability, which Microsoft acknowledged yesterday in a security advisory, affects several versions of Word and Office, both on Windows and OS X, and is related to a problem in the handling of RTF files. Microsoft also acknowledged that there is a theoretical method through which an attacker could trigger the vulnerability in Outlook, but that method hasn’t been seen in the wild yet.
The targeted attacks that have been identified thus far are going after Word 2010, and Microsoft officials said that the exploit doesn’t seem to work against Word 2013, which has ASLR enforcement enabled. Rather, the exploit will simply crash the application. But on vulnerable machines, the exploit works well.
“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets,” Chengyun Chu and Elia Florio of the MSRC engineering team wrote in a blog post analyzing the exploit.
“When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.”
The shellcode itself has a number of components designed to detect whether it’s being run in an environment where it’s being analyzed. Many malware authors have employed this technique for several years. The shellcode used in the Word attack has several layers of encryption and also checks for debugging flags and indicators that the code is running in a sandbox. The shellcode also has a feature that looks at the patch level of the compromised machine to determine when the last update was installed.
“The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components,” the Microsoft researchers said.
Microsoft has released a list of indicators of compromise by the backdoor this attack is dropping, one of which is that the malware communicates over SSL with a command and control server that presents a self-signed certificate.
Image from Flickr photos of Al Shep.