Some threat actors are still using maldocs with VBA macros, so it must be working at least for some targets.
In some cases we can even see interesting and rarely used techniques. Let's analyse a recent sample with oletools and cyberchef: https://twitter.com/decalage2/status/1773114365949948324
@GossiTheDog I think at least up-to-date MS Office 2019 and 2021 block macros with MOTW, just like O365. Probably also Office 2016, but I haven't tested.
It's named "Microsoft Outlook Remote Code Execution Vulnerability", but from the article it does not look like a direct RCE. It's a way to open a remote file (for example in MS Word) without Protected View.
LibreOffice 24.2 Community, the new major release of the free, volunteer-supported office suite, with the new calendar-based numbering scheme (YY.M), many new useful features, and a focus on security and accessibility, is available at https://www.libreoffice.org/download@libreoffice@tdforg
Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 (8.8 high, exploited as a zero-day with public disclosure, disclosed by Microsoft in 14 November 2023 Patch Tuesday) to infect users with a previously unknown strain of the malware, Phemedrone Stealer. Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their C2 server. This open-source stealer is written in C# and actively maintained on GitHub and Telegram. TTPs and payload analysis described. IOC provided.
🔗 https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html
@GossiTheDog Well, isn't the issue that MS Word still uses MSHTML (aka Trident from Internet Explorer) to open URLs for remote OLE objects, remote templates and the like?
If there is a MHTML vuln exploitable from Outlook, it might also be from Word. But this is just a guess. 🙂
@still@GossiTheDog To me the document doesn't look very special, it's only a normal Word doc with a remote OLE object of type "htmlfile" pointing to an URL. So it just looks like a way to trigger a web request with MSHTML from Word. If there is really a new exploit (targeting MSHTML and not Word), it must be in the second stage at that URL, but I haven't managed to download it so far.
@GossiTheDog@still Right, I did some tests with the Follina exploit from 2022, changing the OLE object parameters to match this one, but it does not trigger code execution on a patched system.
As I understand the Forcepoint article, they think the second stage dropper might exploit a new Windows vulnerability. But it's unclear whether they managed to get the second stage or if it's just a guess.
This is work in progress: please contribute by sending your suggestions here, or by creating issue tickets or pull requests. #SecurityHardening#infosec#cybersecurity
