A recently discovered malicious Word document malicious uses the hyperlink feature in the OpenXML format to load an RTF file that subsequently exploits CVE-2017-8759 in order to download a RAT.
A recently discovered malicious Word document malicious uses the hyperlink feature in the OpenXML format to load an RTF file that subsequently exploits CVE-2017-8759 in order to download a RAT.

A malicious Microsoft Word document, discovered making the rounds via phishing emails, infects victims with the Orcus Rat Remote Administrative Tool by automatically downloading a secondary RTF doc capable of executing a remote code execution exploit.

The RAT payload, which is disguised with the file name "mozilla.exe," enables attackers to perform keylogging and remotely access the desktop and webcam, according to Malwarebytes' lead malware intelligence analyst Jerome Segura in a blog post. Segura credits the discovery of the threat to researcher Xavier Mertens, who warned of the threat last week via Twitter

Once the initial malicious Word document is opened, no user action is required to trigger the infection chain. The doc uses the hyperlink feature in the OpenXML format to load an RTF file that subsequently exploits CVE-2017-8759, a SOAP-based parser code injection vulnerability within the Microsoft .NET framework that Microsoft Corporation patched in September.

Via this exploit, the RTF file downloads and executes VBScript with PowerShell commands, resulting in the final payload, which Malwarebytes identifies as Backdoor.NanoCore.

Both the exploit and payload are hosted and downloaded from a free file hosting site using the domain name pomf[.]cat, Malwarebytes notes.

In a similar report last September, FireEye researchers detailed a Microsoft Office RTF document found exploiting CVE-2017-8759 in order to download a FinSpy surveillance software payload that may have been targeting a Russian speaker.

Segura theorizes that the attackers have employed a multi-step, multi-document infection chain in order to better conceal their attack, essentially using the initial Word document as a Trojan horse. And to appear more legit, they also made sure that the Word file generates a decoy document, which lists various "Supplies and Products information."