Catching multilayered zero-day attacks on MS Office

Vladislav Stolyarov & Boris Larin, Kaspersky Lab

Over the past few years attacks leveraging Microsoft Office documents have become a weapon of choice for APT attacks. Office documents are popular not only with APT. It doesn’t take much time for malware authors to integrate novel techniques into their own Exploit Kits and attack ordinary users. Our statistics shows that only during 2018 amount of exploits attempts targeting MS Office increased by 4 times, making it the most targeted application in the world.

In this presentation we would like to take a look at one of the most recent zero-day attacks against this platform, CVE-2018-8174, that introduced a completely new attack vector. Zero-day exploit utilized a technique to load an Internet Explorer engine component right into the process context of MS Office and exploited an unpatched VBScript vulnerability without any user interaction. This new technique changes current threat landscape, as vulnerabilities that previously could only be exploited from a browser in a drive-by-attack scenario can now be also abused from an Office document.

This, and many other vulnerabilities was discovered with the help of our sandbox technology, that is proven to be very effective in catching even sophisticated, multilayered zero-day threats. In this presentation we would like to reveal how Sandbox can be utilized to catch this and many others zero-day attacks with our exploit and vulnerability detection system in our sandbox that is part KATA (Kaspersky Anti Targeted Attack Platform).

Why is this talk interesting:

  • Microsoft Office has become the most attacked application in the world and it is important to understand how it is being abused by malware authors.
  • CVE-2018-8174 is one of the few In-the-Wild 0-day exploits encountered this year and is particularly interesting for many reasons.
  • Exploitation techniques used in the VBScript exploit allow them to bypass all modern exploit mitigations.
  • We reverse engineered VBScript and will uncover its internals.

Takeaways:

  • Microsoft Office already had a huge attack surface already, but with the new attack vector, first abused in CVE-2018-8174 exploit chain it becomes even more threatening, as web-based exploits can now be also triggered from office documents.
  • A novel tool will be presented for analyzing and disassembling VBScript compiled into p-code. This tool allows for VBScript debugging at the bytecode level and can be used to analyze exploits and understand how VBScript operates.

Vladislav Stolyarov

Vladislav Stolyarov is a malware analyst at Kaspersky Lab, where he is focused on all sorts of vulnerability research, including advanced exploit detection and prevention with all modern antivirus technologies. In his free time he enjoys Capture The Flag information security competitions.

Boris Larin

Boris Larin is a malware analyst at Kaspersky Lab, focused on exploits and network attack detection. His main fields of interest are reverse engineering, code deobfuscation and vulnerability research. He is also the author of educational materials for Kaspersky Academy and runs a malware reverse engineering course at Harbour.Space University in Barcelona. In his free time he likes to investigate and examine the security of embedded devices.

The Dynamic Security Ecosystem
Other Topics