Targeted Attacks Exploit VBA Vulnerability in July MS Tuesday

It’s déjà vu. Last year around this time, I blogged about an exploit in the wild for a vulnerability included in the June 2011 MS Tuesday. This year, there is an active exploit in the wild for a vulnerability in July’s MS Tuesday.

Since mid-March, attackers have been sending their targets customized emails with malformed attachments that exploit the Microsoft Visual Basic for Applications DLL Loading Arbitrary Code Execution Vulnerability (CVE-2012-1854). The attachments are archive files that contain a clean Microsoft Word file along with a malicious Dynamic Link Library (DLL) file. So far, the attacks have been limited and have mostly affected Japanese organizations.

The vulnerability involves how Visual Basic for Applications handles the loading of DLL files and how an attacker can remotely execute code to compromise a computer. The vulnerability can be exploited by creating any Microsoft Word Document, such as a .doc file, and pairing it with specially crafted malware that has the filename Imeshare.dll located in the same folder. The Word file can be clean and any arbitrary file. It does not require any special code. The Word files can be legitimate files that are actually used by the targeted organization or files that are commonly received from external contacts. The DLL files, on the other hand, are specifically developed to exploit the particular vulnerability. The image below is what the malicious email attachment would contain. Note that the file name of the Word document can be anything; however, the name of the DLL is constant.
 


 

The example above uses the zip file format as the archive, but any type of archive can be used. We have confirmed the use of the zip file format and LZH archives in the wild so far. While the DLL file can be easily seen in the archive, it could go unnoticed after the files are extracted as the file could be set to hidden. So for those computers that have Do not show hidden files and folders selected under Hidden files and folders in Folder Options, only the Word file would be visible when the files are extracted. This might trick the user into believing there is nothing suspicious here and lead to the file being opened by the user, which compromises the computer, allowing a remote attacker to take complete control.

We have seen various types of malware with the file name Imeshare.dll. The malware includes Trojan Horse, Trojan.Dropper, Backdoor.Trojan, and Backdoor.Darkmoon, among others.

For protection, users should immediately apply the patch for this vulnerability. It is also important to be cautious when receiving emails, especially when they have attachments or links, and to be extra vigilant when there are DLL files included, as this type of file is not normally sent by email.