Tool Scans for RTF Files Spreading Malware in Targeted Attacks

Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.

Exploits embedded inside Microsoft Office documents such as Word, PDFs and Excel spreadsheets have been at the core of many targeted attacks during the past 24 months. Detection of these attack methods is improving and nimble hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities.

Researcher Mila Parkour reported in June she’d collected 90 RTF files over the course of three months, many with China-related file names and many targeting specific industries. All of them were exploiting CVE-2012-0158, a vulnerability in Active X controls within MSCOMCTL.OCX–OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Successful exploits allow remote attackers to execute code over the Web, Office docs, or RTF files.

“Many believe RTF is a relatively safe format, just as it was back in the day when people might not trust Word docs and would send PDFs around instead. Today, we chuckle at that,” said Lenny Zeltser, a handler at the SANS Internet Storm Center. “Today, Word and PDF documents are risky and people are sending RTF files. We can now see attackers finding ways to use RTF files in exploits.”

Some of the samples in the wild have been fairly sophisticated and difficult to examine, Zeltser said. Some, for example, have contained embedded portable executable files that are a challenge to find and extract without some heavy manual lifting. German security researcher Frank Boldewin, keeper of the OfficeMalScanner toolkit, is among those recognizing this new trend. He updated the popular, freely available tool with RTFScan that can help identify RTF-based exploits and extract embedded artifiacts for examination.

“The tool is fantastic for analyzing malicious RTF files,” Zeltser said. “Attackers are using more sophisticated ways of concealing artifacts in RTF files, which makes them harder to examine. The tool is designed to help a trained security analyst figure out the nature of the file, and if it’s exploited, what happens next.”

In one example posted on the ISC Diary today, RTFScan was able to find an embedded OLE object that included the attacker’s shellcode that would be executed by a vulnerable Word doc, Zeltser wrote. RTFScan was able to get around the obfuscation in place and extract the malicious embedded executable.

“RTFScan tells you where to find the shellcode, extract it and turn it into a Windows executable,” he said. “This would allow an analyst to debug it and observe what happens after it executes, how the malware behaves. This is very important for analysts because the frequency of using Microsoft Office docs continues to be very common. The number of attacks is not shrikning and attackers find all sorts techniques to deliver payloads delivered with the help of Word, PDF, Excel and now RTF documents.”

Suggested articles

Discussion

  • Liloofusy on

    Ooops... Ugrently need download the xrumer 7.5.31 Or maybe for cash. Anybody sell? I can pay with LibertyReserve... Hope for answer
  • KeftCofsskest on

    However Rockets started their new season with two lossesIf you do not make the grades to be accepted at a large college and yet you feel that you have what it takes to play in the NBA then enroll in a junior college Provide true information the first time players in the field wearing jersey number back in 1933 it is the FA Cup final and the match between Manchester City and Everton Football Club These colors need to be separate and should not appear mixed

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.