Hackers are using a Microsoft Office patch to steal your personal data

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Affiliate Disclosure
  • Attackers found a new way inside your computer, leaving all your data exposed.
  • This time, ingenious cyber criminals exploited a critical Microsoft Office patch.
  • A Microsoft Cabinet archive, containing a malicious executable, would be applied.
  • Malicious third parties spread this exploit to their victims using a lot of spam emails.
office exploit

In this ever-growing, and ever-changing online world, threats have become so common and so hard to detect that, stay protected is only a matter of remaining one step ahead of the attackers.

New research results published by cybersecurity firm Sophos, show that malicious third parties were able to take a publicly available proof-of-concept Office exploit and weaponize it to deliver the Formbook malware. 

Allegedly, cybercriminals actually managed to create an exploit capable of bypassing a critical remote code execution vulnerability in Microsoft Office, which got patched earlier this year.

Attackers bypass critical Microsoft Office patch with exploit

You don’t have to go back in time that long to figure out where it all started. Back in September, Microsoft released a patch to prevent attackers from executing malicious code embedded in a Word document.

Thanks to this flaw, a Microsoft Cabinet (CAB) archive, containing a malicious executable, would be automatically downloaded.

This was achieved by reworking the original exploit and placing the malicious Word document inside a specially crafted RAR archive, that delivered a form of the exploit capable of successfully evading the original patch.

Furthermore, this latest exploit was delivered to its victims using spam emails for approximately 36 hours before it disappeared completely.

The security researchers at Sophos believe that the exploit’s limited lifespan could mean that it was a dry run experiment that could be used in future attacks.

The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.

It was also discovered that the attackers responsible had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.

In order to help spread this dangerous RAR archive and its malicious contents, the attackers created and distributed spam emails which invited victims to uncompress the RAR file to access the Word document.

So you better keep this in mind when dealing with this software and if something seems even remotely suspicious.

Staying safe should be the number one priority for us all when dealing with the internet. Simple actions that might seem harmless ar first, could trigger serious chains of events and consequences.

Were you also a victim of these malware attacks? Share your experience with us in the comments section below.

This article covers:Topics: