Bad Code Found in OLE

Monday, June 20, 2016 @ 11:06 AM gHale


There is a macro-like infection method attackers could use on the Microsoft Object Linking and Embedding (OLE) system.

The infection could entice users into running malicious scripts.

RELATED STORIES
OSIsoft Fixes Input Validation Issue
Siemens Mitigates WinCC Vulnerability
Siemens Fixes SIMATIC S7-300 DoS Hole
KMC Controls Clears Router Holes

OLE is proprietary Microsoft technology used in some of the company’s software products, which allows users to embed or link to various types of content inside the software.

Users usually employ OLE to embed Flash content, graphs, images, and more. One of the objects users can embed is VBScript or JavaScript code.

Last month, Microsoft officials said its security products started picking up malicious documents attached to spam email that leveraged OLE objects.

Users who downloaded and opened the Office documents received the same message seen with many macro malware campaigns.

Attackers said the file required “human verification” and the user needed to double-click the big icon at the center of the document.

When users double-clicked the icon, as instructed, a popup would appear asking them if they wanted to run the object, which in this case could have been either a JavaScript or a VBScript file.

Both scripting languages have support in Windows and have access to powerful system-level commands.

For this particular campaign, the malicious scripts downloaded an encrypted binary. The scripts also managed to bypass network-based protections designed to detect malicious data formats.

The scripts then saved the encrypted binary on disk, decrypted its content, and executed it, effectively installing either the Vibrio or the Donvibs Trojans.

These two are malware droppers, designed for the sole purpose of getting an initial foothold and then downloading more potent malware after they gained boot persistence on the target’s machine. Microsoft said in this case, the final payload was the Cerber ransomware.

The OLE attack approach relies on social engineering, since a user still needs to click and approve the execution of malicious code, just like users have to enable macro support in Office docs.

Unlike macro malware, the OLE attack has novelty on its side, as most users won’t know that, by allowing the JS and VBScripts to run, they are exposing themselves to malware infections.

Microsoft published instructions on how to avoid getting contaminated with malware via malicious OLE objects.

The company recommends administrators find and edit the following registry key to all their workstations: HKCUSoftwareMicrosoftOffice< Office Version >< Office application >SecurityPackagerPrompt.

The value of < Office Version > can be 16.0 (Office 2016) ; 15.0 (Office 2013) ; 14.0 (Office 2010) ; or 12.0 (Office 2007). The value of < Office application > is the Office application name, usually Word, Excel, and the rest.

The values of the registry key should be “2,” Microsoft said. The value “2” means “No prompt, Object does not execute.” The value of “1” means “Prompt from Office when user clicks, object executes” while “0” stands for “No prompt from Office when user clicks, object executes.”

Click here for more details.