Developers of malware have discovered a macro-like infection method which abuses Microsoft Object Linking and Embedding (OLE) system with malicious scripts
Microsoft OLE system is a proprietary Microsoft technology that is used in some products of the company. This system allows users to embed, or link to, various types of content inside the software.
Usually users employ OLE in order to embed Flash content, images, graphs, etc. Among the objects that users can embed are VBScript and JavaScript code.
According to Microsoft, last month, its security products started picking up malicious documents attached to spam email that leveraged OLE objects. The users who downloaded and opened the Office docs were greeted with the same message which was seen in many macro malware campaigns before.
The hackers were telling users that the file required “human verification” and that he needed to double-click the big icon at the center of the document. After users double-clicked the icon, a popup appeared asking them if they wanted to run the object, which in this case could have been either a JavaScript or a VBScript file. Both scripting languages are very well supported in Windows and have access to powerful system-level commands.
When it comes to the particular campaign, the malicious scripts downloaded an encrypted binary. Besides, the scripts managed to bypass network-based protections designed to detect malicious data formats. After that, the scripts saved the encrypted binary on disk, decrypted its content, and executed it, effectively installing either Vibrio or Donvibs trojans.
Vibrio and Donvibs are malware droppers, whose main purpose is to gain an initial foothold and download more potent malware after they gained boot persistence on the target’s machine. According to Microsoft, in this case, the final payload was the Cerber ransomware.
In general, this is a novel approach for tricking users into running malicious code on their computers. Identically to the macros, the OLE method relies on social engineering, since a user still needs to click and approve the execution of malicious code, just like users have to enable macro support in Office docs.
However, unlike macro malware, the OLE trick has novelty on its side, and most users won’t know that by allowing the JS and VBScripts to run, they are exposing themselves to malware infections.
“It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur,” Alden Pornasdoro of the Microsoft Malware Protection Center states.
“Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source,” he explained.
According to Microsoft, hackers gave up on this approach as time went by, with the number of malicious documents employing this technique dropping by the first week of this month.
