Security firm Check Point has laid hands on the latest version of an increasingly popular tool criminals have been using to automatically generate malicious Microsoft Office files by doing nothing more complex than clicking a few dialogues.
Understood to be on sale on criminal forums for a mere $70 (£45), Office Exploit Builder v4 is the latest example of the fashion for attacking businesses and individuals using what appear to be legitimate Word of Excel files.
What OEB does is simple but to its users saves a huge amount of time and expertise. The user selects a file (i.e. a Trojan or malware) by URL, a reference which is then embedded using an obfuscated macro.
A decoy can be added (to make it look like a normal document) and there is even an option to add anti-sandboxing. The obfuscation of the macro code is crucial because it is the only thing that might mark the file out as malicious before it executes.
At the point in July when Check Point carried out its analysis, the program’s malicious code was detected by only 11 out of 55 anti-virus programs it was pitted against on VirusTotal, which underlines that the attacks it generates would be successful in many cases.
Detecting malicious macro code within documents isn’t as easy as it sounds because such languages by necessity allow for a range of sophisticated actions, which are normally perfectly legitimate.
The file that is called by the macro code could, of course, be anything - that part is up to the attackers.
This type of attack should not be confused with older and simpler macro malware where the maliciousness was the macro code itself rather than the file it is set to call, and hide. Typically, old-style macro malware copied and emailed itself as a way of spreading, hence the ‘virus’ moniker.
Today, macros are used as part of more complex attacks and their popularity has risen again in recent times after years when they were barely used.
According to Check Point, the tool is something they have come across on a number of occasions and seems to be popular. Version 4 dates from early July, a spokesperson confirmed.