Kaspersky Lab experts have discovered a feature in popular document-creation software that has been abused by attackers to launch successful targeted attacks.
Using a malicious application that activates when the simple office document is opened, information about the software installed on the victim’s device is sent automatically to the attackers, with no user interaction required. This data allows attackers to understand what type of exploit they should use in order to hack the targeted device.
It doesn’t matter what device the document is opened on: the attack technique works on both desktop and mobile versions of popular text processing software. Kaspersky Lab has observed this method of profiling used in the wild by at least one cyberespionage actor, which the company’s researchers call FreakyShelly. Kaspersky Lab has reported the issue to the software vendor, but it has not yet been fully patched.
Some time ago, while investigating FreakyShelly targeted attacks, Kaspersky Lab’s experts detected a spear-phishing mailing of OLE2-format documents (these use Object Linking and Embedding technology that helps apps to create compound documents containing information from various sources, including from the Internet). A quick preview of the file did not arouse suspicion or mistrust. It included a set of useful tips on how to make the best use of the Google search engine and contained no known exploits or malicious macros. However, a deeper look into the document’s behaviour showed that, when opened, the document for some reason sent a specific GET request to an external web-page. The GET request contained information about the browser used on the device, the version of the OS, as well as data on some other software installed on the attacked device. The problem was that this Web-page wasn’t something the application should send any requests to at all.
Further Kaspersky Lab research showed that the attack works because of how technical information about elements of the document is processed and stored inside it. Each digital document contains specific meta data about its style, text location and source, where pictures for the document (if there are any) should be taken from, and other parameters. Once opened, the office application would read these parameters and then build the document using them as a “map”. Based on the results of the investigation by Kaspersky Lab researchers, the parameter that is responsible for pointing to the location of pictures used in the document can be changed by the attackers through sophisticated code manipulations and make the document report to the web-page owned by a threat actor.
“Although this feature doesn’t enable a malware attack, it is dangerous because it can effectively support malicious activity by requiring almost zero-interaction from the user and being able to reach many people around the world, as the affected software is very popular. So far we have seen this feature used in only one instance. However, given the fact that it is really hard to detect, we expect that more cyberthreat actors may start using the technique in the future,” says Alexander Liskin, Heuristic Detection group manager, Kaspersky Lab.