Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection

Additional information and Indicators of Compromise associated with this TTP can be viewed by ThreatStream users here

Overview

Template Injection is a technique used by threat actors in which a Microsoft Office document template has a URL injected into it. This causes Word to request the resource the specified by the URL. Since Windows’ default behavior is to send the credentials to the server if using SMB, this technique can be used for credential theft or delivery of a malicious file to the victim.

Details

“Microsoft Office Open XML” is a compressed XML-based file format developed for Microsoft Office in 2000. It is the default target file format of Microsoft Office. Extensible Markup Language (XML) is a markup language that was created to give a set of rules for encoding documents that are both human-readable and machine-readable. Microsoft developed Microsoft Office Open XML in order to adopt a more open and standardized format. Microsoft Office Open XML Format documents allow resources to be fetched from remote sources; relations can be specified in the document which are fetched when the document is opened and processed by Office

Attack Flow 1: Harvesting Credentials

An actor would begin by setting up a service that acts like a Server Message Block (SMB) file server, as shown in Figure 1, designed for the use of capturing credentials.

18%20AM
Figure 1 - Starting an SMB server.

The actor would then inject a Microsoft Office Open XML document with a “Relationship” entity pointing to a remote “template file”, as depicted in Figure 2.

37%20AM
Figure 2 - “settings.xml.rels” file with malicious IP address

The document file must be delivered to a target, possibly via spear phishing or by serving it on a website. When the target opens the file, Microsoft Office attempts to fetch the remote resource, as shown in Figure 3.

03%20AM
Figure 3 - Upon opening the injected file, a connection is made to fetch the resource.

Office first attempts to access the resource over ports 445 and 139 by trying to establish a connection to the server over SMB, Figure 4. With no credential prompt needed for SMB verification, the attacker is able to harvest the target’s credential hash, as shown in Figure 5.

31%20AM
Figure 4 - Packet capture showing SMB verification

41%20AM
Figure 5 - SMB server capturing NTLM hashes

From collected hashes, an attacker is able to crack the hash in order to harvest the targets password (Figure 6).

27%20AM
Figure 6 - Using hash cracker to extract password

Attack Flow 2: Delivering Malicious File

An attacker can also deliver a malicious file over a specified protocol. An example of this type of attack being used in the wild is specified here.

An actor can template inject a Microsoft Word file with a reference (In this case using HTTP) to a remote file that contains an exploit, as demonstrated in Figure 7.

17%20AM
Figure 7 - Reference to malicious file

The file is fetched from the server (Figure 8, and placed in an object in the Word file. In this case, the malicious file is a Rich Text File (RTF) that exploits “CVE-2017-11882.”

38%20AM
Figure 8 - Fetching malicious RTF file

The RTF file exploits “Microsoft Equation Editor 3.0”, available in Microsoft Office versions prior to Office 2016, to run an MSHTA command to fetch a malicious HTA file (Figure 9).

37%20PM
Figure 9 - Link in RTF file to download payload

This technique is very versatile and can be used to deliver exploits for Microsoft Office vulnerabilities without much user interaction.

Analysis

This technique has the possibility to pose a high risk to companies and individuals alike because it can result in the theft of credentials for potentially sensitive accounts, particularly if the password is weak. In addition, if the attacker is harvesting SMB credentials it does not require any additional user input. The attacker is also able to set the target to connect over HTTPS to a server configured to display a prompt to the user for their username and password. If entered, the attacker can harvest these credentials.

This technique is very easy to implement in terms of complexity. Additionally, there are tools available in open source repositories to enable an attacker to perform this technique: “https://github.com/ryhanson/phishery”.

A threat actor would be likely to use this technique as it has a couple of substantial benefits. The actor is able to swap between payloads; for example, if a particular payload exploiting a vulnerability has been patched, then the actor could swap to use another payload without altering the initial file. Another benefit is that antivirus applications will not be able to identify a template injected file that is malicious. As it is a feature of Microsoft Office and fetching remote resources is not malicious in itself.

Mitigation

Users should be aware of how to identify malicious files being delivered via email. Always be on high alert while reading email, in particular when it comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. It is also important to make sure that real-time protection is enabled with your antivirus software. The real-time protection feature has the potential to stop the threats just before execution. In the case of “CVE-2017-11882”, real-time protection is able to mitigate this threat before exploitation, as shown in Figure 10.

37%20AM
Figure 10 - Windows Defender blocking CVE-2017-11882

Users should implement a strong password to assist in preventing brute force attacks via a hash cracker. It is also important that users use different passwords for different accounts that are being used. This will protect other accounts from being compromised in the event of one password being obtained. LM hashes should be disabled since they are easy to brute force.

Companies should implement egress filtering tools that control traffic leaving the network before an outbound connection is allowed. Outbound traffic from ports 445 and 139 should be blocked.

Additional information and Indicators of Compromise associated with this TTP can be viewed by ThreatStream users here

References