Attackers are using the MS Office object linking and embedding (OLE) function to insert malicious scripts into spam emails. Social engineering techniques are also used to encourage users to double click on the malicious OLE embedded scripts.
The spam email messages used for these campaigns are simplistic, but effective. They appear to contain an invoice or receipt in the form of an attached Word document. However, the document contains a malicious JS script called Trojan:JS/Certor.A. Running the script will result in the users’ proxy settings being changed which will allow the attackers to steal authentication credentials and other sensitive data.
Opening the attached Word document will not automatically result in a user’s computer being compromised. The attached documents contain malicious OLE embedded scripts which are masked by text or icons. Typically, these embedded objects contain text asking the user to double click to view the invoice or receipt.
If the user double clicks as requested, they will receive a security warning on screen asking for confirmation that they want to open the file. The file will be identified as a Jscript Script file, but it will have an innocuous name. The user may not realize that the file is malicious. Although the names of the file are different for each campaign, they typically include terms such as PayPal, invoice, or receipt.
Allowing the file to be opened will see a range of malicious functions executed. Registry keys related to browser proxy settings will be modified, and a number of components will be dropped and executed. The malware even carries its own certificate.
The malware can be used to redirect users to malicious websites containing exploit kits, phishing campaigns, or ads. However, the malware will also enable the attackers to monitor HTTPS content and traffic and steal sensitive data such as login credentials entered on secure websites. The end user will be unaware that their computer has been compromised and that their actions online are being monitored.
To avoid infection, users have been told not to open attached files that are sent from unknown senders. Microsoft also says that this advice is all too often ignored by end users. For large businesses with many employees, preventing all users from running malicious OLE embedded scripts is a problem. There is always one employee that ignores security best practices. Unfortunately, all it takes for a network to be compromised is for one employee to run a malicious script.
The best step to take to ensure this doesn’t happen is to use a powerful spam filtering solution such as SpamTitan. SpamTitan stops 99.97% of spam emails from being delivered to end users’ inboxes.
Additionally, to prevent malicious OLE embedded scripts from being run, Microsoft offers the following advice:
“For added defense-in-depth, you can reduce the risk from this threat by following [Microsoft] guidance to adjust the registry settings to help prevent OLE Embedded Objects executing altogether or running without your explicit permission.”