Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.
Researcher Mila Parkour reported in June she’d collected 90 RTF files over the course of three months, many with China-related file names and many targeting specific industries. All of them were exploiting CVE-2012-0158, a vulnerability in Active X controls within MSCOMCTL.OCX–OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.
“Many believe RTF is a relatively safe format, just as it was back in the day when people might not trust Word docs and would send PDFs around instead. Today, we chuckle at that,” said Lenny Zeltser, a handler at the SANS Internet Storm Center. “Today, Word and PDF documents are risky and people are sending RTF files. We can now see attackers finding ways to use RTF files in exploits.”
Some of the samples in the wild have been fairly sophisticated and difficult to examine, Zeltser said. Some, for example, have contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting. German security researcher Frank Boldewin, keeper of the OfficeMalScanner toolkit, is among those recognizing this new trend. He updated the popular, freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.
“The tool is fantastic for analyzing malicious RTF files,” Zeltser said. “Attackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it’s exploited, what happens next.”
In one example posted on the ISC Diary today, RTFScan was able to find an embedded OLE object that included the attacker’s shellcode that would be executed by a vulnerable Word doc, Zeltser wrote. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.
“RTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,” he said. “This would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrikning and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.”