Beware: the computers will attack the new virus in a Word file

Techno 19 February, 2018

2018-02-19 09:39

Beware: the computers will attack the new virus in a Word file
Experts have told how the pest.

Sign up for news “UkrMedia” in Facebook, Twitter or Google+

In the Internet we found a new kind of virus that enters to user computers via e-mail under the guise of a Word document, reports Rus.Media.

This method the attackers are practicing for quite a while, however, the key feature of the virus was the complete absence of macros, which never happened before. Prior to that, when you open infected attachments that users can see a warning or pop-UPS. In the case of a new virus that doesn’t happen. Using virus attackers can steal credentials victim email, FTP and browsers. In addition, researchers have noted another feature – multi-level nature of the attack. So, the experts at Trustwave, said that the virus uses a combination of methods that start with attachments format .DOCX. Victims receive e-mail various letters related to finances. All experts identified the e-mail contained an attachment named “receipt.docx”.

The process of the attack with four stages starts with opening the file .DOCX and run the embedded OLE object containing a link. This allows you to reference external access to the remote OLE objects. According to analysts, the attackers use the fact that Word documents created using Microsoft Office 2007 use the Open XML format, which is based on XML and ZIP files. Therefore, such files can be easily manipulated programmatically or manually.

The second stage is to use the Word-file to start downloading the file with the RTF extension. The latter uses the vulnerability editor Office Equation Editor, Microsoft closed in November 2017.

The third stage consists of decoding the text inside the RTF file, which, for its part, is launching a command prompt mshta EXE and it loads and opens the HTA file. The latter contains a PowerShell script and executes malicious Password Stealer. This virus steals credentials from e-mail programs, FTP and browser.

Experts noted an unusually large number of stages and scenarios that uses the virus. In addition, the DOCX, RTF and HTA are rarely blocked e-mail or network gateways, as opposed to the more obvious, such as VBS, J, or WSF. Therefore, they urge users not to open files received from unknown senders.