Cybercriminals have come up with a new technique for macro-based malware distribution, published the Cisco`s security team.
In 2007, Microsoft decided to change the default file formats in the Office suite and it added a new set based on the OfficeOpen XML standard.
With the addition of the new formats, some files were able to contain macro code and others weren’t, while, before 2007, all of them could store and automatically execute macro scripts when opened.
The macro-supportive files can easily be recognized by the “M” appended at the end of the Office extension. On the other hand, the files with an “X” as a last letter of the extension are not macro-enabled. For instance, Word DOCM and DOTM files are capable of containing macro code, while DOCX and DOTX files are not.
In the course of the investigation, the Cisco researchers discovered an interesting fact. If a non-macro-supportive DOCX file is renamed to DOCM file, which should be macro-enabled, macro malware still couldn’t be added to the file. This is because of the way Windows and Office work and the MIME type agreement of the file. If someone try to open a renamed file like this an error will occur.
And yet, if the opposite is to happen and a macro malware containing file DOCM is renamed to DOCX, would still have the macro code in it. In this case, if the renamed files is opened, not only no error will occur but the macro code would be actually executed onto the computer.
This tactic even works if DOCM/DOTM files are renamed with RTF extension, which was never macro-supportive. The same thing is possible with XLSX files renamed to a CSV, a text-based format.
However, the files should be opened with an Office application in order for them to work as Office automatically starts the execution process.
Researchers say that problem originates from WWLIB.DLL file, a DLL used by Office to validate MIME types.
“In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly,” the Cisco researchers explain. “When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension.”
Unfortunately, the researchers were not the only ones to discover this tactic. According to Cisco`s reports, since the beginning of this year, many cybercriminals have started to use this technique in their malware distribution campaigns and the numbers are constantly growing.
The good news is that there is an easy way to handle this problem. It should be used an Office update that fixes the way WWLIB.DLL manages file type validations. The update would trigger an error or a warning which will stop the execution process and prevent the machine from being infected.
