Threat Management, Malware, Vulnerability Management

Campaign leverages two malicious docs and RCE vulnerability to spread Orcus Rat

A malicious Microsoft Word document, discovered making the rounds via phishing emails, infects victims with the Orcus Rat Remote Administrative Tool by automatically downloading a secondary RTF doc capable of executing a remote code execution exploit.

The RAT payload, which is disguised with the file name "mozilla.exe," enables attackers to perform keylogging and remotely access the desktop and webcam, according to Malwarebytes' lead malware intelligence analyst Jerome Segura in a blog post. Segura credits the discovery of the threat to researcher Xavier Mertens, who warned of the threat last week via Twitter

Once the initial malicious Word document is opened, no user action is required to trigger the infection chain. The doc uses the hyperlink feature in the OpenXML format to load an RTF file that subsequently exploits CVE-2017-8759, a SOAP-based parser code injection vulnerability within the Microsoft .NET framework that Microsoft Corporation patched in September.

Via this exploit, the RTF file downloads and executes VBScript with PowerShell commands, resulting in the final payload, which Malwarebytes identifies as Backdoor.NanoCore.

Both the exploit and payload are hosted and downloaded from a free file hosting site using the domain name pomf[.]cat, Malwarebytes notes.

In a similar report last September, FireEye researchers detailed a Microsoft Office RTF document found exploiting CVE-2017-8759 in order to download a FinSpy surveillance software payload that may have been targeting a Russian speaker.

Segura theorizes that the attackers have employed a multi-step, multi-document infection chain in order to better conceal their attack, essentially using the initial Word document as a Trojan horse. And to appear more legit, they also made sure that the Word file generates a decoy document, which lists various "Supplies and Products information."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.