Threat Intelligence Bulletin: Windows Vulnerability Targeted Malware

By Lewis Henderson

Firstly, our Threat Intelligence data clearly demonstrates that Windows vulnerability malware is on the rise, and as others in the industry are finding, we’ve seen a massive spike starting in Q1 2019.

Considering our customers use several layers of other security products and services before Glasswall FileTrust™ for Email processes attachments, over 85% of the CVE-related malware we see already had a known signature at the time it evaded those layers. I’ll explore later why this might be, but first we need to explore why this type of malware is on the rise.

Windows vulnerabilities have been around since the first release, and as software develops, they will continue to appear. But it’s the discovery of weaknesses in systems that have already been patched that presents a really interesting scenario. In this case, some of the CVEs we’re seeing in the current malware attacks are designed to exploit those weaknesses, even when a patch has been made. That begs the question: Why are attackers not only using vulnerabilities for older platforms, but also using them for those that are already secured- or are they?

One surprising revelation is that attackers doing market research will quickly find they can still use old malware for launching new attacks. They just hide payloads in more contemporary Office formats, as we’ll reveal later.

The prevalence of Windows 7, 8 and even Windows XP still in use across enterprises isn’t just viewed as a significant security risk, some even call this negligence. You would expect to see these legacy systems more often in Industrial Control Systems for a totally unique set of operational reasons, but not in contemporary business environments.

In order of prevalence, this is the list of CVE-related malware that Glasswall hasdisarmed in the last 12 months:

There’s clearly popularity for CVE-2017-11882 amongst attackers, so we’ll have a closer look at that first.

As most cyber security professionals understand, this CVE is not an OS vulnerability, but a vulnerability in Office’s legacy Equation Editor component. It’s a Memory Corruption Vulnerability that allows an attacker to run programs as a local user – so if that user has Administration privileges, the attacker does as well. It’s not standard practice to allow most employees to have Admin rights, but conversely, the Equation Editor may be part of a standard build, thereby widely spreading the risk.

The ability to pinpoint targets using various social media platforms and online forums means that attackers researching and gathering intelligence learn as much as they can about their intended victim from a distance. This is time well spent because after all, what’s the point in creating and sending malware if it’s not going to work?

Next, what did we observe about CVE-2017-11882 malware?

  • It was exclusively delivered with Office documents
  • It broke down as follows:
    • 68% were Binary ’97-03 Word format
    • 28% were Excel files in the current XML format
    • Others were in .docx, .xltx and pptx

Next on the list and a lot further down in terms of occurrence is CVE-2017-0199, a very old vulnerability that affects quite a few platforms: Vista, Windows 7 and 8.1, and Windows Server 2008 and 2012. Most patches were available from April 2017.

CVE 2017 11882

What did we observe about CVE-2017-0199 malware?

  • It was delivered in a range of file types
  • It broke down as follows:
    • 100% of the .docx files had an embedded file
    • 100% of the .xlsx files had DDE enabled
    • 75% of the malware already had a signature
CVE-2017-0199

Finally, what did we observe across the other CVE malware?

CVE-2010-0188 exploits Adobe Acrobat, and 100% of themalware aimed at that specific vulnerability, unsurprisingly,came in .pdf documents. But each one of those contained an Acroform, providing some evidence of how attackers are using normal features to deliver the payload.

Clearly Binary Word (.doc) files remain a popular format tosend any type of malware. We also see this across all other threats when reviewing our Threat Intelligence data.

All other CVE Malware

What we learned from looking at all of our data is that Windows VulnerabilityTargeted Malware is commonly sent in Office documents because attackers know this just makes sense, with the Adobe exploit being the exception. Across all the malware that evaded other defences, here are the observed file types:

Windows CVE Malware Types

The older Binary Word format stands clear as the file type of choice. We a seesimilar overall trend across our Threat Intelligence data, where binary format resides in second place to malicious .pdf documents.

Focusing on the features within the malicious files encountered, it’s apparent that malware senders prefer to embed the payload file inside another to obfuscate their attempt to reach their victim. Nearly 45% of files we encountered displayed this characteristic.

Windows CVE Vulnerability Threats

The next-highest file feature observed was Dynamic Data Exchange, at 39%.

Malicious script propagation

The volume of evasive malware we encountered further highlights why DDE should be considered a high risk and be surgically removed. GlasswallFileTrustTM for Email uniquely identifies and removes DDE at the gateway, but it should be noted that disabling DDE at the endpoint could cause user disruption when it’s used for legitimate purposes. Previous bulletins have discussed how Microsoft is continuing support for DDE, but it should be removed from withinfiles that are outside your organisation’s domain. DDE only ever points to internal data sources – never from the internet, so external files carrying thisfeature need to be viewed with suspicion. It is a legitimate feature that gives attackers lots of control to deploy malware. You might have expected macros to be at the top of their preferred list, but it no longer has the leading spot amongst Evasive Malware.

A few other observations:

We need to explore why over 85% of this type of malware managed to evade other security products and services prior to Glasswall disarming the malicious attachment.

Let’s take DDE as an example: DDE is a legitimate Office document function,yet it can be used to trick a user to activate malicious code buried deep in thefile or trigger a workflow that fetches malware from a newly created maliciouswebsite. It’s a highly innovative trick that the attackers know will work, as most security technologies hunt for signatures, patterns or ‘bad’ document behaviour– none of which resides in the original file.

These evasive techniques demonstrate that attackers are on the front foot and are constantly one step ahead of security vendors whose model is to protectagainst ‘known bad’. All that’s needed is old malware in a new file, hidden by legitimate looking features and functions. The facts speak for themselves in that over 85% of the evasive malware we encountered have malware that was already known. Just the techniques and tactics had changed. Postanalysis showed that Glasswall disarmed the files using the two methods of file sanitisation: 1) Removal of features and functions, and 2) file regeneration intoa safe standard. This provides further proof that as part of a layered security stack, having a Content, Disarm and Reconstruction (CDR) technology as thefinal layer is critical to defending against old threats in new files.

Recommendation for organizations with Glasswall FileTrust for Email