This HTML document begins with a script tag and includes a significant amount of commented A characters, which (considering they are just comments), would seem to serve no purpose… but from our testing, a hefty amount of characters is necessary for the exploit to fire.Īt the very bottom of the script tag is the syntax:
This was the original contents of RDF842l.html: From the previous research shared from we could retrieve the HTML from ANY.RUN’s dynamic analysis. Inside the word/_rels/ folder is a file, containing an external reference to hxxps//At the time of writing (0041 EDT ), this website is no longer online. Unzipping the file extracts all the components that make up the Office document. We have replicated this exploit and are sharing our findings below. The Huntress team obtained the sample first shared by on Twitter and examined the contents of the Microsoft Word document. There are additional suggestions for mitigation actions at the bottom of this post.
They should also be made aware that this exploit can be triggered with a hover-preview of a downloaded file that does not require any clicks (post download). If you are seeking guidance on how to keep your users safe rather than an in-depth explanation of the vulnerability, the short answer is to let them know that there is a newly discovered vulnerability in MS Word (and likely other MS Office apps) that could install malware so they should be especially vigilant about opening any attachments.
In this article, we will discuss recreating the attack vector, detection efforts and potential mitigation steps. Throughout the next coming days, we expect exploitation attempts in the wild through email-based delivery. Huntress is keeping a close eye on the developing threat of a zero-click remote code execution technique used through MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, namely Microsoft Word. The Non-Technical Version of What's Happening
0 kommentar(er)
