Attackers’ New Malware Distribution Technique Exploits Microsoft OLE
Cyber criminals have been reviving attacks using Windows macros since past few years utilizing Office commands that are automatically issued for spreading malware. It is certain that hackers will keep on utilizing macros, till of course when the methodology wouldn’t work any more. However, in the meantime, fresh research shows that these hackers may move onto something else i.e. one other Microsoft technology for distributing their e-threats.
Generally, end-users leverage OLE (Object Linking and Embedding) mechanism for implanting images, graphics, flash content, and more. A particular object that can be implanted is VBScript.
The Object Linking and Embedding mechanism lets introduce text, images or content from somewhere else, normally by some other application. An end-user wishing for editing data that has been implanted, can let Windows enable originating app followed with loading the edited data.
Quite often an object or script induces end-users to act on it. In such a situation, they may be tricked into clicking on some sinister object or enabling it. That can result in execution of the code causing infection. Threatpost.com posted this, June 16, 2016.
It was found that when end-users took down the Office files and opened them they received a known message within several macro malware schemes. The message asked end-users for making ‘human verification’ of the files by double-clicking on one large icon in the file’s central area. This was the macro malware trap. For, double-clicking as directed produced a pop-up enquiring whether the end-users wished for executing the object that could be any of the two-a VBScript, a JavaScript.
Microsoft emphasizes that both the OLE-triggered assaults and macros can be stopped via settings within its Office package. OLE package enabling can be stopped through modification of Office 2007-2016 registry key while likewise using one fresh macro blocking utility present inside Office 2016 would let administrators confine using macros to some trusted workflows bundle.
Registry keys require being values “2,” “1,” or “0,” respectively meaning “There isn’t any prompt, Object doesn’t run,” “Office initiates prompt following end-user’s clicking, Object is run,” and “Office doesn’t prompt even if end-user clicks, Object is run.”
Source | SpamFighter
