We haven’t seen macro viruses for a while, but they are back. HawkEye a new variant of the resurgent use of unpatched vulnerabilities in Microsoft Word and other office documents. Using macros, written in Visual Basic, attackers are using Word document attachments to run code on victim computers.
Last week we wrote about the Locky ransomware exploit that encrypts your data and holds it for ransom. Ransomware exploits are usually run by fairly large sophisticated teams. This new HawkEye exploit is simple enough to be run by a small and relatively unsophisticated group or even a single cyber-criminal.
The attractive thing about MS Office exploits is that even if you are set up to get Windows Updates automatically, unless you agreed to allow Microsoft Update to add the Office suite to the update process, you could be missing important Office patches that would prevent this exploit from working at all. Another good reason to be running your updates automatically!
The goal with HawkEye is to infect as many computers as possible to make a bunch of small transactions, as little as $200 per victim, although the actual take could be much more.
You may never be aware of this exploit because it is designed to operate silently in the background. This is how the exploit works:
- Attackers buy pre-built documents that use the Microsoft Word Intruder exploit tool. These are available for sale on the Dark Web. Just opening this document in an unpatched computer causes the malware to install without further user intervention.
- Buy a keylogger program and configure the infected Word file to download and install it from a download site you control. Also for sale on the Dark Web
- Get an email list that targets a particular industrial sector, such as HVAC contractors, building contractors, or sheet metal fabricators. The idea is to pick a narrow niche. Also for sale on the Dark Web, in fact the whole shebang can be purchased as an exploit kit, complete with technical support for the attacker.
- Send out emails with a request for quotation or notice of past due invoice, may be just a few thousand to keep the volume below the threshold of spam filters. Attach your infected Word document to the email and send them out.
- When the target reads their email (hey everyone, we got a new customer!) and opens the Word attachment, the keylogger program is downloaded and installed.
- The goal of the keylogger phase is to get the target’s email password.
- Using the stolen password, the attacker accesses the target’s email account and reads their email inbox and outbox, watching for the target to send an invoice to one of their customers.
- Then, using the hijacked email account, the criminals send a follow up email to the customer, from the same account that the invoice just came from, advising the customer to send the payment to a “new” back account, one that is controlled by the attackers.
- Attackers receive the payment and transfer it quickly to another account where recovery would be difficult or impossible.
This exploit is designed to collect lots of small transactions, with the hope that most of them may not be noticed very quickly if at all. Basically, by sending out 3000-5000 emails, the attackers may realize 100-300 infected systems. A smaller percentage, perhaps 10%, are infected with the keylogger. Still, the take on this exploit can be several hundred thousand dollars a month, and is easily repeatable.
Our advice is the usual for this sort of email exploit:
- Keep your operating systems and software programs patched and up-to-date.
- Run a high quality anti-malware program, like BitDefender, and keep it updated, too.
- Never open attachments without confirming the contents with the sender.
- Or forward your questionable message to firstname.lastname@example.org, replacing the existing subject text with the word SCAN in the subject line. VirusTotal will send you an email reply in about 10 minutes with a verdict on the safety of your attachment.
- Use two-factor authentication on your email account. That way if you lose your password, the criminals would still need the TFA access code that appears on your smartphone.
If you are a regular reader of this web log, and you have been following my advice, this exploit is unlikely to work. The exploit only works on systems that are unpatched or out of date. That means you, if you are still clinging to an older Windows XP or even a Windows Vista system. Stay safe out there!