Threadkit, Formbook Exploit Old Microsoft Vulnerability
Sivan NirFeb 6, 2019
A vulnerability first discovered and patched by Microsoft in July 2017 has been exploited again by Threadkit (an exploit kit popular among low-skilled attackers) via the Formbook malware (a data stealer and form grabber). This serves as a timely reminder about how important it is to install update patches when they’re released.
The origins of this vulnerability can be found all the way back in July 2017 when Microsoft published CVE-2017-8570, a high-severity code execution vulnerability in Office. Although Microsoft released a patch the same month, the vulnerability was still exploited in the wild. The first reported exploit came one month later, with a subsequent instance from ThreadKit following in March 2018. And now a third exploit has been spotted, one and a half years after the vulnerability was first published.
How Does the Exploit by Formbook Work?
The exploit works by emailing a Word document to the user. The email address and the subject appear to be authentic: they contain details that look real and often mimic the addresses and the verbiage of genuine companies. This social engineering method helps to establish trust with the user, leaving them with few reservations about opening the attached file.
If the user is fooled by the email and then click the attachment, the RTF file opens and closes almost immediately. While this looks like Word has simply collapsed, what’s actually happening is that it’s downloading and extracting a ZIP file. Another fake Word document, containing the source code for a phishing HTML page and the malware payload, is stashed within this ZIP file.
The user is unaware that this is happening. All they see is the original Word document appearing on their screen. For all intents and purposes, they believe that Word crashed and then rebooted. They have little idea that they’re now harboring a malicious stowaway that’s ingesting their confidential data.
How to Protect Yourself Against the Formbook Malware
Thankfully, the effects of this exploit, and others like it, can be avoided by installing patches when they’re released. But for many operations teams, a patch from the summer 2017 — for a non-critical vulnerability — doesn’t just jump to the front of the to-do list.
In organizations where threat intelligence isn’t regularly incorporated in patch prioritization, this vulnerability will likely remain unpatched.
Skybox first alerted customers to the exploitability of the vulnerability in August 2017, raising the remediation priority to “urgent.” A further See how our threat-centric vulnerability management approach prioritizes vulnerabilities by exploitability and exposure in our e-book.
As a general note of caution when using Microsoft Office: make sure to disable editing mode and macros as they could enable the payload to be launched from a malicious file simply by opening it or by hitting a common keyboard shortcut. In most cases, Office products prevent macros from running by default but it’s good to check. And, as always, exercise extreme caution when opening email attachments, even if they’re from what appears to be a genuine source. It’s only too easy to fall into the cybercriminals’ traps.
Vulnerability and Trends Threat Report 2019: Microsoft Windows was the third most exploited product in 2018, behind Google Android and Adobe Acrobat. Read more in the latest report from the Skybox Research Lab.
Zero-Day Attack on Russia Prompts OOB Patches: Read what happened when a malicious Word document was used to exploit an Abobe Flash Player bug in a targeted zero-day attack on Russia in late 2018