22 February 19, 08:54
(This post was last modified: 22 February 19, 08:55 by harlan4096.)
Quote:
Using Microsoft Word to distribute malware is a common tactic used by criminals. Given the popularity of Word, criminals can often "live off the land" and use mechanisms that are already in place to do their dirty work.
Why force your way into a house when you can trick the owner into letting you in? This concept has always been used by malware authors to gain access into their victims' computers. They understand that the most sophisticated security system does not completely guarantee protection for the user. This is especially true if the job of that person includes opening and reviewing multiple documents (such as resumes or invoices) from their email inbox. With that in mind, let us look into one of the products that malware authors prefer to abuse when it comes to deploying malware: Microsoft Word.
More than a Word Processor
Microsoft Word is one of the most recognizable products as far as Word Processors go, with a user base of well over 100 million commercial users as well as more than 27 million consumers for home and personal devices.
Even back in the 1990s, it was able to overcome its competitors like WordStar and WordPerfect by introducing features that would enhance the user experience when it comes to browsing and editing documents. By 1994, had cornered 90 percent of the word processor market, making Microsoft Word a permanent fixture on most computers.
The introduction of Macros, also known as Visual Basic for Applications (VBA), gave users the power and the flexibility to create custom solutions. VBA therefore is capable of launching other applications on the host computer (see code listing below) or simply created dialog boxes.
This has far-reaching implications: Malware authors can create a document file capable of downloading and executing a file when it is opened and macros are enabled by the user.
Another option is to leverage Macros to run PowerShell, (code listing below) which is a scripting language built on Microsoft .NET. It is a popular choice among system administrators because it is the most powerful way for them to administer Windows computers. But with PowerShell having access to the .NET Framework, Windows Management Instrumentation (WMI), Active Directory Service Interface (ADSI) as well as the Win32 Application Programming Interface (API), penetration testers saw its potential leading to the creation of pentesting tools such as Nishang as well as Post Exploitation tools such as Empire.