For many years, users of Microsoft Office 2010 were instructed to watch out for a certain exploit that could leave them vulnerable to remote code execution. That particular exploit was listed by Internet security analysts as CVE-2012-0158, also known as the Microsoft Word intruder, which affected not only Office 2010 but also Office 2007 and Office 2013.
It so happens that cybercrime perpetrators have decided to modernize the old Microsoft Word intruder. In late July 2016, industry site IT World Canada reported on an update from Internet security firm Sophos, which reported updated versions of this exploit.
How the Microsoft Word Intruder Works
Contrary as to what its name might suggest, the Microsoft Word intruder does not limit itself to Word documents. Just about any file format supported by Office 2010 can be used to launch the attack; this includes Rich Text Format (.rtf), an old Windows standard, and evem HTML.
The basic mechanism of the exploit consists of distributing a document that contain an Encapsulated Postscript (EPS) file, which looks like a standard image. The targeted user does not usually suspect anything; however, the document acts like a booby trap in the sense that executes malicious code in the background that connects the victimized computer, laptop, tablet, or smartphone to a rogue server.
Once the targeted device has been compromised, remote attacks can be launched on a network. Another scenario would be a computer becoming part of a botnet to distribute spam or malware.
The Updated Version of the Exploit
IT World Canada reports that the new version of this Microsoft Office 2010 cyber threat has become more sophisticated. In an effort to prevent suspicion among victims, the document inside the exploit kit has been significantly reduced in size and has been renamed to “document.xml,” although this may change from one cybercrime group to another.
In the past, known hacking outfits combined the Microsoft Word intruder with the FAREIT Trojan, which took advantage of a Windows Powershell vulnerability. The new intruder is more likely to arrive via an email message with attachments.
The generic hook of the messages is written in “corporate speak” that makes vague references to payments, invoices, orders, price quotations, etc. Sophisticated cybercrime crews may conduct some research on their intended victims to craft the message. For example, the email address may be spoofed to resemble an internal user, and the message could be crafted in a way that resembles the office culture.
Corporate IT security managers in Canada should research the new threat, which has been filed as CVE-2015-2545, and apply the necessary patches to avoid being compromised. This new exploit kit actively targets Microsoft Office versions installed within a business network.