Security experts reported a vulnerability which affects all versions of Microsoft Office and could be exploited by hackers for spreading macro-based self-replicating malware.
Being informed about the flaw, Microsoft implemented a security mechanism in MS Office which prevents such kind of attacks. However, despite the new mechanism, a researcher from the InTheCyber company has found an attack technique to bypass the security control and create self-replicating malware hidden in MS Word documents.
Microsoft was informed about the flaw in October, however, the corporation didn’t consider the issue a security vulnerability and explained that the feature exploited by the expert was implemented to work exactly in this way.
What is worse though, is that hackers are already exploiting the same attack vector which was reported to Microsoft. A few days ago, security experts from Trend Micro detailed a recently discovered macro-based self-replicating ransomware called ‘qkG‘ which exploits the same MS office flaw.
“Further scrutiny into qkG also shows it to be more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild. This, however, doesn’t make qkG less of a threat. As the qkG samples demonstrated, its behaviors and techniques can be fine-tuned by its developer or other threat actors.” the analysis published by Trend Micro reads.
The qkG ransomware relies on the Auto Close VBA macro technique to execute malicious macro when the victim closes the document.
The first version of the qkG ransomware included a Bitcoin address, just like the latest sample of the threat which demands a ransom of $300 in BTC. According to security researchers, the Bitcoin address hasn’t received any payment yet, suggesting that hackers haven’t spread the malware globally yet.
The experts also found that the qkG ransomware is currently using the hardcoded password “I’m QkG@PTM17! by TNA@MHT-TT2” which allows to decrypt the files.
The Microsoft Corporation has untrusted external macros by default and to restrict default programmatic access to Office VBA project object model. Users can manually enable “Trust access to the VBA project object model,” if required.
As soon as the “Trust access to the VBA project object model” setting is enabled, MS Office trusts all macros and automatically runs any code without showing any security warning or requiring user’s permission.
Users can also enabled/disabled the “Trust access to the VBA project object model” setting by editing a Windows registry, eventually enabling the macros to write more macros without the user’s consent and knowledge.
The attack technique was devised by the researcher Lino Antonio Buono and it just sees hackers tricking victims into run macros included in a bait document.
“In order to (partially) mitigate the vulnerability it is possible to move the AccessVBOM registry key from the HKCU hive to the HKLM, making it editable only by the system administrator.” Buono says.