Attackers Use Undocumented MS Office Feature to Leak System Profile Data

An undocumented Microsoft Office feature allows for spying via specially crafted Word documents—no macros, exploits or any other active content needed.

An undocumented Microsoft Office feature allows attackers to gather sensitive configuration details on targeted systems simply by tricking recipients to open a specially crafted Word document—no VBA macros, embedded Flash objects or PE files needed.

The undocumented feature is being used by adversaries, according to Kaspersky Lab researchers, as part of a multistage attack that first involves gathering the system configuration data on targeted systems.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” wrote Kasperky Lab researchers in a blog post Monday explaining their research.

The feature is present in Word for Windows as well as on Microsoft Office for iOS and in Microsoft Office for Android. Researchers say they have observed several spear phishing campaigns containing the malicious attachments that are laying the groundwork for future attacks using this technique.

“To ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them. In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit,” researchers said.

Emails in the phishing campaign contained Word documents in OLE2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple resources or other objects in a single Word document. Using it can allow an author to create a field in a document that “points” to the graphic file as opposed to simply embedding the graphic file, for example.

When researchers looked closer at the underlying code behind questionable Word attachments that were part of the phishing campaign they found the field “INCLUDEPICTURE” that was using Unicode as part of its instructions and not ASCII format as it should have.

Using that Unicode framework, hackers were able to manipulate the code to trigger GET request to malicious and obfuscated URLs contained within the underlying code of the very same Word document attachment. Those links then pointed to PHP scripts located on third-party web resources. “As a result, the attackers received information about the software installed on the computer,” they said.

Researchers identified the undocumented Microsoft feature only as INCLUDEPICTURE field. “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field,” they said.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky researchers said.  They said there is nothing suspicious about the Word document at first glance, just Google search tips.

Suggested articles