Cybercriminals shift their tactics for Microsoft Office document exploitation – SophosLabs research

This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.

For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.

SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.

Along with these new vulnerabilities, these Microsoft Office document exploit kits also have strengthened their tactics and added new complexities to their attacks. For example, the newest version of the Microsoft Word Intruder now includes the ability to deploy a decoy document, as well as new payload files that are relocated to the end of the exploit block. The decoy document allows the attackers to better hide their tracks while the exploit is at work.

Despite all these changes, one thing that hasn’t really changed is the delivery system. These exploits are still sent via email – regardless of whether it’s a 0-day targeted attack or a large-scale attack on a wide audience.

These emails use common social engineering methods to urge the recipient to open the malicious attachment, which generally looks like a Microsoft Word document in DOCX format. Often the payload from these attacks will point the victim to a command-and-control server that hosts webpages to phish additional credentials, such as email, from the victim.

For an in-depth examination of exploit kits using CVE-2015-1641 and CVE-2015-2545, be sure to download the paper, as well as all our other SophosLabs research, on our technical papers page.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts.

You can find our industry-leading research and technical papers, expert opinion, and security advice at Naked Security and right here on the Sophos Blog.

Sign up for our Sophos Blog newsletter, follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s