Thread Rating:
  • 2 Vote(s) - 4.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
GDATA Security_Blog: Distributing Malware - one "Word" at a Time
#1
Information 
Quote:[Image: GnG0MDQ.png]

[Image: G_DATA_Blog_One_Word_at_a_time_Preview_800fbfdec4.jpg]

Using Microsoft Word to distribute malware is a common tactic used by criminals. Given the popularity of Word, criminals can often "live off the land" and use mechanisms that are already in place to do their dirty work.

Why force your way into a house when you can trick the owner into letting you in? This concept has always been used by malware authors to gain access into their victims' computers. They understand that the most sophisticated security system does not completely guarantee protection for the user. This is especially true if the job of that person includes opening and reviewing multiple documents (such as resumes or invoices) from their email inbox. With that in mind, let us look into one of the products that malware authors prefer to abuse when it comes to deploying malware: Microsoft Word.

More than a Word Processor

Microsoft Word is one of the most recognizable products as far as Word Processors go, with a user base of well over 100 million commercial users as well as more than 27 million consumers for home and personal devices.

Even back in the 1990s, it was able to overcome its competitors like WordStar and WordPerfect by introducing features that would enhance the user experience when it comes to browsing and editing documents. By 1994, had cornered 90 percent of the word processor market, making Microsoft Word a permanent fixture on most computers.

The introduction of Macros, also known as Visual Basic for Applications (VBA), gave users the power and the flexibility to create custom solutions. VBA therefore is capable of launching other applications on the host computer (see code listing below) or simply created dialog boxes.

This has far-reaching implications: Malware authors can create a document file capable of downloading and executing a file when it is opened and macros are enabled by the user.

Another option is to leverage Macros to run PowerShell, (code listing below) which is a scripting language built on Microsoft .NET. It is a popular choice among system administrators because it is the most powerful way for them to administer Windows computers. But with PowerShell having access to the .NET Framework, Windows Management Instrumentation (WMI), Active Directory Service Interface (ADSI) as well as the Win32 Application Programming Interface (API), penetration testers saw its potential leading to the creation of pentesting tools such as Nishang as well as Post Exploitation tools such as Empire.
[-] The following 4 users say Thank You to harlan4096 for this post:
  • darktwilight, Deep900, jasonX, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>