The FortiGuard Labs team continually tracks phishing and spam campaigns around the world. Sending users macro-enabled documents with a malicious payload is one of the most commonly used malware attack vectors for phishing campaigns. This attack vector has been used by used by such prevalent malware families as Dridex, Fareit, and Hancitor. The key to these sorts of campaigns is luring users into clicking on a malicious file attached to an email message. As a result, malware distributors are always looking for ways to trick users into executing their malicious content.
In this article we will examine a common technique called OLE object embedding that is used in some spam campaigns to deliver malware payloads. In particular, we will look at how this technique is can be used with documents created with Ichitaro, a popular alternative to Microsoft Word in Japan.
Figure 1: OLE object phishing in MS Office
Malicious MS Office attachments are by far the most common infection method used in phishing campaigns. During our analysis we found that Ichitaro handles embedded OLE objects the same way that Microsoft Word does, which means that Ichitaro users are vulnerable to this same attack vector. However, there are two additional issues that Ichitaro users should be aware of when handling documents to protect themselves from this kind of phishing attempt - OLE objects and the "link" function.
In both Ichitaro and MS Office, you can embed any file (e.g. .exe, .dll, etc.) into a document using "Package object":
Figure 2: Object package in Ichitaro
As a result, the same methods used to trick MS Office users into executing attached documents can be used to trick Ichitaro users as well. The victim needs to double click on a package icon to execute the embedded file. By default, the OLE function in both MS Office and Ichitaro asks users if they want to open an untrusted file like this:
Figure 3: Warning when opening an OLE file
More often than not, users focus on the file name and its extension. If the filename is well crafted, there is a high probability that the user will allow it to run. Additionally, by using the old reverse filename trick, an attacker can deceive a user into believing they are running a “.jtd” file when in fact the file will run an “.hta” script, as shown below:
Figure 4: warning with reversed file extension
Although Microsoft Office and Ichitaro handle OLE objects the same way in general, MS Office has more security mechanisms in place.
With Microsoft Office, OLE objects are dropped into the user’s %TEMP% folder, but only when they are accessed and the user explicitly gives consent via a prompt dialog box. In Ichitaro, however, as soon as a document is opened all embedded OLE objects are automatically written to the %TEMP% folder. This immediately opens a new attack surface wherein dropped files can be executed with the help of DLL hijacking and hyperlinking. This will be discussed in detail in the next sections.
Video 1: With Ichitaro, OLE objects are dropped to %TEMP% automatically
Microsoft Office hyperlinks require a CTRL-Left-Click in order to trigger them. Ichitaro hyperlinks, however, are triggered by default with just a simple click of the mouse. This results in the referenced file being immediately opened or executed – which means that just one wrong click can open a possibly malicious binary file.
Fortunately, Windows has a way to determine whether files are to be trusted or not, based on several criteria such as their extension and the file source. It uses this information to determine if a warning prompt should be displayed to the user before execution. Naturally, this alarm does not sit well with threat actors. Unfortunately, there is a way to work around this, which will be discussed in the next section.
The following videos show Microsoft Windows displaying a prompt window for a non-trusted HTA executable, and not for the trusted native Windows application calc.exe, respectively
[Video2 - execute OLE file]
Video 2: Executing an embedded HTA OLE object via hyperlink pointing to the local copy
Video 3: Executing calc.exe via hyperlink pointing to its path
The goal for the attacker is to execute a non-trusted DLL binary file without triggering a warning prompt. When Ichitaro executes an OLE object via a hyperlink pointed to its local copy, it handles the scenario similar to the way a browser does when opening an executable file that has just been downloaded. As shown in the previous videos, since the file is from an unknown source, Windows displays a Security Warning.
The plan to circumvent this is to take advantage of Ichitaro’s unique behavior of automatically writing local copies of the OLE objects into the user’s %TEMP% directory by using a hyperlink to point to one of those local copies. In order to circumvent the security warning, Windows must trust that linked file. With these requirements, the DLL preloading vulnerability is perfect. If there is a trusted file type (Excel files, for example) associated to an application with the DLL preload vulnerability, an attacker can embed the trusted file and the DLL binary in the Ichitaro document. Then, when the hyperlink pointing at the trusted file is opened, the DLL binary will automatically be loaded and executed since Ichitaro drops the OLE objects in the same directory (%TEMP%),.
While there is no “one-shot” solution to mitigate the phishing techniques discussed, the attack surface can be limited by disabling the "one-click" hyperlink trigger on Ichitaro documents:
Figure 5: disable "1-click" option in Ichitaro
While we have not yet encountered an actual attack using the technique just discussed, it should serve as a good reminder for all users to be cautious and stay one step ahead.
-= FortiGuard Lion Team =-
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.