Threat Overview:
A previously undisclosed vulnerability has been identified in the wild, affecting unpatched versions of Microsoft Office and Microsoft Windows Operating Systems.
The vulnerability relates to the Windows OLE (Object Linking and Embedding) function, found in Microsoft Windows and Office software, which allows an application to link to and embed content in other documents, and is being leveraged by malicious actors as a targeted attack vector for the installation of multiple malware variants. Analysis of the attack chain reveals an adversary sending the victim an email containing a word document as an attachment. When the targeted user opens this specifically crafted word document, the exploit, the winword.exe application is launched, triggering the download of a malicious HTA (HTML Application) file from a remote server controlled by the attacker. The .hta file is executable, allowing remote code execution capabilities on the target computer. The .hta file is disguised as an RTF (Rich Text Format) document in an attempt to evade current security countermeasures.
Importantly, this RTF is intended to act as a decoy, while the malicious HTML application continues to run in the background, downloading additional payloads and executing a malicious script to install malware onto the users system. The original winword.exe process is terminated in an attempt to hide a user prompt generated by the OLE2link.
Detection:
Remediation & Mitigation
Microsoft is expected to release a patch shortly, which should be applied as soon as it is available. In the interim, the following measures can be taken to mitigate the impact of delivery of malware: