Detecting Microsoft Word Documents Built for “Locky” Delivery
You should never open an attachment from an individual that you don’t recognize. But what if you see an email from a trusted friend or colleague with an attachment? Your spam and antivirus filters would have flagged and blocked the email if there were anything wrong with it, right?
Unfortunately, weaponized Microsoft Word documents continue to wreak havoc within organizations. When we say “weaponized” we typically mean an innocuous looking file that has been modified to trigger a malicious follow-on, or second stage activity – such as downloading a piece of malware, installing a key logger, or redirecting the viewer to a phishing website in an attempt to harvest credentials. In an environment where files are accessible by groups of people, or entire business units, the problem can become exponentially amplified.
One of the most common methods for enabling this behavior is the inclusion of a malicious macro within the document by the threat actor. Luckily, most recent versions of Microsoft Office warn the user, upon opening a document, that the document contains macros and they must be enabled to “function properly.” As this reasonably covert method for infecting computers has been around for quite some time, most users have learned to distrust such instructions. The threat actors, however, are getting smarter.
An example of this evolution can be seen in the recent Locky crypto ransomware delivery methodology. Locky is currently being distributed via email that contains Word document attachments with malicious macros. The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.” When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect.” Once a victim enables the macros, an executable is downloaded from a remote server, and the infection begins encrypting files stored locally and on mounted shares.
As stated earlier, in an environment where files are accessible by groups of people, or entire business units, the problem can become exponentially amplified. In the case of the Locky-enabled Word document, you can easily use the DataGravity Custom Tag capabilities to search documents for the presence of the offending pattern – in this case “Enable macro if the data encoding is incorrect” – as seen below.
After running a manual DiscoveryPoint, or allowing your regularly scheduled DiscoveryPoints to run, your DataGravity Dashboard should display the number of documents that match your newly created Locky Custom Tag.
This can be set on specific mount points, or across all mount points within your organization, to provide automatic visibility into potential threats as they occur.
Using DataGravity Custom Tags, Match Patterns, and Content Alerts you can quickly and effortlessly detect threats that employ similar methodologies. For example, you can discover embedded IP addresses, domains, or URLs provided from your trusted threat intelligence partners hiding in your stored documents with minimal effort. This scenario can be applied to more than Microsoft Word documents. DataGravity supports more than 400 data formats, from Microsoft Office and Adobe PDF, to XML and metadata for most multimedia formats and DLLs.1 Like