Threat Intelligence Bulletin:Windows Vulnerability Targeted Malware

June 2019

By Lewis Henderson

glasswallsolutions.com

Glasswall Threat Intelligence Bulletins mine our dynamic Glasswall FileTrustTM Threat Intelligence Data to explore the latest trends in evasive malware that bypasses the various security layers designed to protect an organization. This bulletin focuses on recent reports of a surge in malware designed to exploit Windows vulnerabilities which, as Kaspersky has recently reported, has gone from 16% of targeted platforms to 70% in Q4 2018, with no sign of this changing soon.

Evasive CVE Malware Trends

Firstly, our Threat Intelligence data clearly demonstrates that Windows vulnerability malware is on the rise, and as others in the industry are finding, we’ve seen a massive spike starting in Q1 2019.

Let’s explore what we’ve discovered in our data.

Considering our customers use several layers of other security products and services before Glasswall FileTrust™ for Email processes attachments, over 85% of the CVE-related malware we see already had a known signature at the time it evaded those layers. I’ll explore later why this might be, but first we need to explore why this type of malware is on the rise.

Windows vulnerabilities have been around since the first release, and as software develops, they will continue to appear. But it’s the discovery of weaknesses in systems that have already been patched that presents a really interesting scenario. In this case, some of the CVEs we’re seeing in the current malware attacks are designed to exploit those weaknesses, even when a patch has been made. That begs the question: Why are attackers not only using vulnerabilities for older platforms, but also using them for those that are already secured- or are they?

Desktop Windows Version Market Share WorldwideMay 2018 - May 2019

One surprising revelation is that attackers doing market research will quickly find they can still use old malware for launching new attacks. They just hide payloads in more contemporary Office formats, as we’ll reveal later.

The prevalence of Windows 7, 8 and even Windows XP still in use across enterprises isn’t just viewed as a significant security risk, some even call this negligence. You would expect to see these legacy systems more often in Industrial Control Systems for a totally unique set of operational reasons, but not in contemporary business environments.

In order of prevalence, this is the list of CVE-related malware that Glasswall has disarmed in the last 12 months:

Windows CVE Vulnerability Threats

There’s clearly popularity for CVE-2017-11882 amongst attackers, so we’ll have a closer look at that first.

As most cyber security professionals understand, this CVE is not an OS vulnerability, but a vulnerability in Office’s legacy Equation Editor component. It’s a Memory Corruption Vulnerability that allows an attacker to run programs as a local user – so if that user has Administration privileges, the attacker does as well. It’s not standard practice to allow most employees to have Admin rights, but conversely, the Equation Editor may be part of a standard build, thereby widely spreading the risk.

The ability to pinpoint targets using various social media platforms and online forums means that attackers researching and gathering intelligence learn as much as they can about their intended victim from a distance. This is time well spent because after all, what’s the point in creating and sending malware if it’s not going to work?

Next, what did we observe about CVE-2017-11882 malware?

• It was exclusively delivered with Office documents• It broke down as follows:

• 68% were Binary ’97-03 Word format• 28% were Excel files in the current XML format• Others were in .docx, .xltx and pptx

Next on the list and a lot further down in terms of occurrence is CVE-2017-0199, a very old vulnerability that affects quite a few platforms: Vista, Windows 7 and 8.1, and Windows Server 2008 and 2012. Most patches were available from April 2017.

What did we observe about CVE-2017-0199 malware?

• It was delivered in a range of file types • It broke down as follows:

• 100% of the .docx files had an embedded file• 100% of the .xlsx files had DDE enabled• 75% of the malware already had a signature

Finally, what did we observe across the other CVE malware?

CVE-2010-0188 exploits Adobe Acrobat, and 100% of the malware aimed at that specific vulnerability, unsurprisingly, came in .pdf documents. But each one of those contained an Acroform, providing some evidence of how attackers are using normal features to deliver the payload.

Clearly Binary Word (.doc) files remain a popular format to send any type of malware. We also see this across all other threats when reviewing our Threat Intelligence data.

CVE-2017-11882

CVE-2017-0199

All Other CVE Malware

The older Binary Word format stands clear as the file type of choice. We a see similar overall trend across our Threat Intelligence data, where binary format resides in second place to malicious .pdf documents.

What we learned from looking at all of our data is that Windows Vulnerability Targeted Malware is commonly sent in Office documents because attackers know this just makes sense, with the Adobe exploit being the exception. Across all the malware that evaded other defences, here are the observed file types:

Windows CVE Malware File Types

The next-highest file feature observed was Dynamic Data Exchange, at 39%.

Windows CVE Vulnerability Threats

Focusing on the features within the malicious files encountered, it’s apparent that malware senders prefer to embed the payload file inside another to obfuscate their attempt to reach their victim. Nearly 45% of files we encountered displayed this characteristic.

DDE EnabledExcel Attachment

InitialInfection

InvisibleAttack

Disappearing Act

File contains legitimate Windows scripts that have malicious intent

User is prompted to recover contents of workbook,

clicks ‘yes’…

Malicious process runs silently beyond user space

The malware then discovers others devices locally that it

can infect

?

We need to explore why over 85% of this type of malware managed to evade other security products and services prior to Glasswall disarming the malicious attachment.

Let’s take DDE as an example: DDE is a legitimate Office document function, yet it can be used to trick a user to activate malicious code buried deep in the file or trigger a workflow that fetches malware from a newly created malicious website. It’s a highly innovative trick that the attackers know will work, as most security technologies hunt for signatures, patterns or ‘bad’ document behaviour – none of which resides in the original file.

These evasive techniques demonstrate that attackers are on the front foot and are constantly one step ahead of security vendors whose model is to protect against ‘known bad’. All that’s needed is old malware in a new file, hidden by legitimate looking features and functions. The facts speak for themselves in that over 85% of the evasive malware we encountered have malware that was already known. Just the techniques and tactics had changed. Post analysis showed that Glasswall disarmed the files using the two methods of file sanitisation: 1) Removal of features and functions, and 2) file regeneration into a safe standard. This provides further proof that as part of a layered security stack, having a Content, Disarm and Reconstruction (CDR) technology as the final layer is critical to defending against old threats in new files.

A few other observations:

The volume of evasive malware we encountered further highlights why DDE should be considered a high risk and be surgically removed. Glasswall FileTrust™ for Email uniquely identifies and removes DDE at the gateway, but it should be noted that disabling DDE at the endpoint could cause user disruption when it’s used for legitimate purposes. Previous bulletins have discussed how Microsoft is continuing support for DDE, but it should be removed from within files that are outside your organisation’s domain. DDE only ever points to internal data sources – never from the internet, so external files carrying this feature need to be viewed with suspicion. It is a legitimate feature that gives attackers lots of control to deploy malware. You might have expected macros to be at the top of their preferred list, but it no longer has the leading spot amongst Evasive Malware.

UK: +44 (0) 203 814 3900 USA: +1 (866) 823 6652

sales@glasswallsolutions.com glasswallsolutions.com Glasswall Solutions Limited @glasswallnews

Recommendations for Organizations with Glasswall FileTrust™ for Email

ENGAGE WITH THE BUSINESS:• Raise Windows Vulnerability Malware as a high risk, sepecifically for Window Administrators

MEASURE THE RISK:• Assess who is sending and receiving Windows Vulnerability Malware• Quantify Inbound file attachments and their format and content

IMPLEMENT POLICY:• Disallow DDE enabled Office Files and track occurrence ands source• Sanitise Acroforms and pdf attachments where there is no defined business process/justification• Sanitise embedded files from all document types

CONTROL THE THREAT:• Configure Glasswall to sanitise content from Office and pdf files from unknown senders• Limit use of admins rights across the enterprise and enforce a least privilege model