Linked or embedded objects in RTF documents are represented as RTF objects, precisely to the RTF destination control word “object”. Object Linking and Embedding in RTF Files Below are some instances of RTF exploits with a higher volume of overlay data appended at the end of the file, with CVE-2015-1641 embedding both the decoy document and multi-staged shellcodes with markers. However, Microsoft Word RTF parser will ignore the overlay data while processing RTF documents. Overlay data of the volume beyond a certain size should be deemed suspicious and must be extracted and analysed further. Overlay data is the additional data which is appended to the end of RTF documents and is predominantly used by exploit authors to embed decoy files or additional resources, either in the clear, or encrypted form which is usually decrypted when the attacker-controlled code is executed. Below is one of the previous instances’ exploits using control word parameters to introduce executable payloads inside the datastore control word. RTF parsers must also be able to handle the control word obfuscation mechanisms commonly used by attackers, to further aid the analysis process. RTF specifications describe several hundred control words consuming data. Consequently, it becomes significant to examine a destination control word that consumes data and extract the stream. Exploits in the past have been found using control words to embed malicious resources as well. Since these RTF control words have the associated parameters and data, parsing errors for them can become a target for exploitation. Control words in the RTF files primarily define the way the document is presented to the user. Rich Text Format files are heavily formatted using control words. In the below sections, we attempt to outline some of the exploitation and infection strategies used in Microsoft Rich Text format files over the recent past and then towards the end, we introspect on the key takeaways that can help automate the analysis of RTF exploits and set the direction for the generic analysis approach. Apparently, the RTF file format is very versatile. The Object Linking and Embedding feature in Rich Text Format files is largely abused to either link the RTF document to external malicious code or to embed other file format exploits within itself and use it as the exploit container. Microsoft RTF files can embed various forms of object types either to exploit the parsing vulnerabilities or to aid further exploitation. It has been gaining massive popularity and its wide adoption in phishing attacks is primarily attributed to the fact that it has an ability to contain a wide variety of exploits and can be used efficiently as a delivery mechanism to target victims. Microsoft Rich Text Format is heavily used in the email attachments in phishing attacks. OLE exploits in the recent past have been observed either loading COM objects to orchestrate and control the process memory, take advantage of the parsing vulnerabilities of the COM objects, hide malicious code or connecting to external resources to download additional malware. OLE has been massively abused by attackers over the past few years in a variety of ways. Object Linking and Embedding (OLE), a technology based on Component Object Model (COM), is one of the features in Microsoft Office documents which allows the objects created in other Windows applications to be linked or embedded into documents, thereby creating a compound document structure and providing a richer user experience. Apparently, weaponized documents in email attachments are a top infection vector. Increasing use of Microsoft Office as a popular exploitation target poses an interesting security challenge. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. There has been a dramatic shift in the platforms targeted by attackers over the past few years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |