Why malware authors keep using the same old Microsoft Office exploits

Office exploitsSophosLabs Principal Malware Researcher Gabor Szappanos has closely studied Microsoft Office exploits for the past few years. We’ve previously covered his investigation of the Microsoft Word Intruder exploit creation kit, and his recent paper exploring the most popular Office exploit kits.

In a new research report, Gabor takes a closer look at the top four Office exploit kits used in the last quarter of 2015. He also reports which exploits were most commonly used in malicious documents, and shows us what families of malware were distributed by the studied samples.

As Gabor explains, malware authors are increasingly attracted to document exploits as the initial entry point for their attacks. The attackers spread their booby-trapped Office documents through phishing emails spammed out to large numbers of random recipients (cybercrime groups), or to a more select list of targets (APT groups).

Notably, the majority of Office exploits malware authors have been using in malicious documents are now several years old. The most popular exploit, CVE-2012-0158, has been around for well over three years now.

In recent years, some newer exploits have challenged the leader. CVE-2013-3906 and CVE-2014-0761 were also commonly used, and August 2015 saw a new Office exploit (CVE-2015-1641) start to appear more prominently. But none of these exploits has overtaken CVE-2012-0158, which still represented 48% of exploits used in the final quarter of 2015.

The chart below breaks down the document exploits used in reported incidents from the fourth quarter of 2015.

office exploits breakdown

Why are older exploits still being used by malware authors?

As Gabor explains, these exploits continue to work against a large percentage of the user population, despite Microsoft having patched these security holes years ago.

Newer exploits may have more value to the cybercrooks, because even fewer users are expected to be patched against newer exploits, Gabor says. But it seems that the older exploits used by the most popular Office exploit kits can still get the job done.

Check out Gabor’s research paper for more of his insights into the most prominent Office exploits and the ways malware authors are using commercial exploit kits to carry out their attacks.

Staying safe from malicious Office documents

  • Patch promptly. The booby-trapped Office documents generated by exploit kits attack security holes that were patched years ago.
  • Keep your security software up to date. A good antivirus can block document attacks like this at several points, starting with the original inbound email.
  • Beware of unsolicited attachments. This can be hard when your job requires you to work through email, but avoid opening just any old document.
  • Consider using a stripped-down document viewer. Microsoft’s own Word Viewer, for example, is usually much less vulnerable than Word itself. It doesn’t support macros, either, which protects against Locky-type attacks.

Image of Microsoft Office apps courtesy of dennizn / Shutterstock.com.

2 thoughts on “Why malware authors keep using the same old Microsoft Office exploits

  1. Does this mean almost half of all Office installs have not been patched since 2012 or does it mean none of Microsoft’s patches have fixed an issue that is almost four years old?

    • Hi, these stats are not about how many of the Office installs were not patched, and the numbers in the stats do not indicate that the exploitation attempt was successful, only that it was attempted. The numbers show how much the criminals rely on particular exploits. The fact that they are using CVE-2012-0158 indirectly shows that they still have success with this exploit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s