Cyber crooks are taking advantage of a recently discovered vulnerability in Microsoft Office to hide malicious code in Word documents, the software giant has warned.
Furthermore, the flaws are being taken advantage of by a Russia-linked hacking group called APT28, who are expoiting a vulnerability in the Dynamic Data Exchange (DDE) component of Office.
According to the researchers, the hackers have been exploiting the flaw for around a month.
This is responsible for transporting data and messages between applications. The exploit affects Outlook email accounts, Word documents and Excel spreadsheets.
The hackers, also known collectively as Fancy Bear and linked with the Russian government, have benefited from the protocol because it doesn’t warn users to enable macros. However, pop-ups asking users to update files may sometimes appear.
Security firm McAfee claimed that the hacking group has been taking advantage of the recent New York terror attack to propagate its malicious code, inserting malware into a document talking about the incident.
“McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research,” it claimed.
“This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system, regardless whether macros are enabled.
“APT28, also known as Fancy Bear, has recently focused on using different themes. In this case it capitalised on the recent terrorist attack in New York City.
“The document itself is blank. Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim’s system.”
Microsoft has since released a specialist advisory detailing the vulnerability and how it affects users. It is now working on a patch, but the Advisory effectively serves notice to other hacking groups of a glaring flaw in Office that others will now seek to exploit.
“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email,” it said.
“The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.
“Microsoft strongly encourages all users of Microsoft Office to review the security-related feature control keys and to enable them. Setting the registry keys described in the following sections disables automatic update of data from linked fields.”