Detecting Microsoft Word Documents Built for “Locky” Delivery

You should never open an attachment from an individual that you don’t recognize. But what if you see an email from a trusted friend or colleague with an attachment? Your spam and antivirus filters would have flagged and blocked the email if there were anything wrong with it, right?

Unfortunately, weaponized Microsoft Word documents continue to wreak havoc within organizations. When we say “weaponized” we typically mean an innocuous looking file that has been modified to trigger a malicious follow-on, or second stage activity – such as downloading a piece of malware, installing a key logger, or redirecting the viewer to a phishing website in an attempt to harvest credentials. In an environment where files are accessible by groups of people, or entire business units, the problem can become exponentially amplified.

One of the most common methods for enabling this behavior is the inclusion of a malicious macro within the document by the threat actor. Luckily, most recent versions of Microsoft Office warn the user, upon opening a document, that the document contains macros and they must be enabled to “function properly.” As this reasonably covert method for infecting computers has been around for quite some time, most users have learned to distrust such instructions. The threat actors, however, are getting smarter.

An example of this evolution can be seen in the recent Locky crypto ransomware delivery methodology. Locky is currently being distributed via email that contains Word document attachments with malicious macros. The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.” When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect.” Once a victim enables the macros, an executable is downloaded from a remote server, and the infection begins encrypting files stored locally and on mounted shares.

As stated earlier, in an environment where files are accessible by groups of people, or entire business units, the problem can become exponentially amplified. In the case of the Locky-enabled Word document, you can easily use the DataGravity Custom Tag capabilities to search documents for the presence of the offending pattern – in this case “Enable macro if the data encoding is incorrect” – as seen below.
locky tag screenshot

After running a manual DiscoveryPoint, or allowing your regularly scheduled DiscoveryPoints to run, your DataGravity Dashboard should display the number of documents that match your newly created Locky Custom Tag.
Screenshot 2016-02-18 21.34.50

Drilling into the Tags Distribution you can quickly identify the documents that matched your “Locky” Custom Tag.
defend against locky

And you can view the content, with the highlighted Tag matches, of each of the documents in a safe and secure manner without ever having to open the document yourself.
Screenshot 2016-02-18 21.35.46

You can also leverage DataGravity Content Alerts to automatically send you an email notification that new documents have been found matching your Locky Tag.
Screenshot 2016-02-18 21.38.40

This can be set on specific mount points, or across all mount points within your organization, to provide automatic visibility into potential threats as they occur.

Using DataGravity Custom Tags, Match Patterns, and Content Alerts you can quickly and effortlessly detect threats that employ similar methodologies. For example, you can discover embedded IP addresses, domains, or URLs provided from your trusted threat intelligence partners hiding in your stored documents with minimal effort. This scenario can be applied to more than Microsoft Word documents. DataGravity supports more than 400 data formats, from Microsoft Office and Adobe PDF, to XML and metadata for most multimedia formats and DLLs.

Read our step by step Tech Report on using DataGravity Discovery Series to more quickly identify and recover from ransomware.

1 Like
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.