Skip to content ↓ | Skip to navigation ↓

A targeted attack is abusing Word documents to collect information about different types of software installed on a user’s computer.

Kaspersky Lab came across the operation while investigating the Freakyshelly targeted attack. The campaign consists of spear-phishing emails laden with malicious attachments that don’t contain macros, exploits, or any other active content. Instead they contain links to PHP scripts on third-party web resources.

When a user opens the document, Word sends a GET request to one of the links for those web resources. The code subsequently sends version information about the affected computer’s operating system, Microsoft Word program, and other software to the attackers.

A suspicious document that Kaspersky Lab identified as part of the spear-phishing operation. (Source: Securelist)

So why would attackers need this type of information? Kaspersky Lab’s Alexander Liskin, Anton Ivanov, and Andrey Kryukov explain:

“What did the bad guys want with that information? Well, to ensure a targeted attack is successful, intelligence first needs to be gathered, i.e. the bad guys need to find ways to reach prospective victims and collect information about them. In particular, they need to know the operating system version and the version of some applications on the victim computer, so they can send it the appropriate exploit.”

Curious to understand why Word followed that internal link, Liskin, Ivanov, and Kryukov took a deep dive into the data stream of the attack document. What they found was a SHAPEFILE form near offset 0 that has a suspicious link as its name. The link acts as an object, so the document doesn’t use it in any way. But the value 0x0000000E contains three flags indicating that a URL should lead to the actual content of the form. This URL is the link that Word follows when an unsuspecting user opens it.

Microsoft Office users on Windows computers, Android phones, and iOS devices are all vulnerable to this type of attack.

To protect themselves, vulnerable users should familiarize themselves with the most common forms of phishing attacks and how to defend against them. They should also make sure to implement patches for Microsoft Office, their operating system, and other software as soon as they become available.

Learn how Tripwire can help strengthen your organization’s vulnerability management program here.