New Critical MS-Office Zero-day Vulnerability Detected and Exploited in the Wild

Mar 13, 2017

On Tuesday, 11 April 2017, Microsoft released a patch for a Zero-day vulnerability, which exploits the handling of OLE2Link objects by Microsoft. The vulnerability might have been initially discovered by Ryan Hanson in March 2017, and was further reported on the first week of April 2017, by researchers at McAfee and Fireeye. The vulnerability has already been utilized extensively in the wild by the Dridex banking Trojan.

The vulnerability, labeled CVE-2017-0199, is a remote code execution vulnerability, triggered by the way a Microsoft OLE2Link object, which opens application data based on the server-provided MIME type, processes remote content. It is activated when a user opens an RTF document which contains an embedded OLE2 Link object. Once the user opens the compromised document; the attack flow is as follows:

1. The exploit connects to a remote attacker-controlled server, and downloads a file that contains HTML content. This file is then executed as an .hta file.

2. The .hta content is disguised as a normal RTF file, however, the file contains a malicious embedded VB script.

3. The malicious script is loaded and executed by the compromised system, usually leading to the download of a final PE payload. The final payload can them perform various actions on the infected system, per the desire of the attacker.

The recently patched vulnerability has been present in the wild for some time, and though a patch has urgently been released by Microsoft, many endpoints and servers are, and will remain, vulnerable to this attack. Dridex is a sophisticated banking Trojan, which has been active in the wild for several years. This Trojan steals banking information from users, and in 2015 alone it stole over $30M. Dridex is the first malware family seen to leverage this vulnerability, however many more malware families might follow suit, or might already be stealthily using this attack method.

Since the initial publication of this vulnerability, Deep Instinct’s Research Team has been collecting and reviewing all samples and use cases associated with it. We are happy to report that Deep Instinct’s solution successfully detects all RTF samples known to have exploited this Zero-day vulnerability.

This, once again, demonstrates the power of Deep Instinct’s deep learning technology – identifying new, previously unseen, malware based on its strong predictive capabilities and preventing the attack. The latest version of Deep Instinct’s solution also employs script control methods, which would block .hta files at the second stage of the attack. The Dridex payload, which is downloaded at the third and final stage of the attack, is also detected by Deep Instinct, which correctly detects all generations of the Dridex malware. Thus, Deep Instinct can block all stages of this attack, giving its users complete protection.