“INCLUDEDPICTURE” undocumented word feature exploited in wild.
“INCLUDEDPICTURE” undocumented word feature exploited in wild.

Attackers are using an undocumented Word feature in the wild to perform reconnaissance on user devices to gather sensitive configuration details for future attacks.

Researchers spotted the attack, which uses no VBA macros, embedded Flash objects or PE files, in spear phishing emails containing a malicious attachment which appeared to contain Google and Google Scholar tips, according to a Sept. 18 Kaspersky Lab blog post.

When opened the document sends a GET request to one of the internal links and that request contains information about the user's device. The undocumented feature was identified only as INCLUDEDPICTURE field and was exploited in the malicious Word document formatted in OLE2 (Object Linking and Embedding).

The OLE2 formatting allows authors to embed objects and link to multiple resources or other objects in a single Word document. The exploit is part of a multistage attack that involves gathering the system configuration data on targeted systems.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” researchers said in the blog.

The features which allows the attack is present in Microsoft Office for iOS and in Microsoft Office for Android.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks,” researchers added. “In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks.”