Microsoft Office Malware Captured in a Micro-VM on an Unpatched Computer
- The Bromium Labs team was able to get their hands on some live malware exploiting the Microsoft office vulnerability.
- First and foremost, on an unpatched workstation Bromium did its job by hardware isolating the Microsoft Word document into a protected virtual machine so that the host workstation was never infected.
- Secondly, it shows the amazing analytics of Bromium to show exactly what the malware was attempting to do.
As a follow up to my earlier blog about a recently discovered vulnerability in Microsoft Office, the Bromium Labs team was able to get their hands on some live malware exploiting this vulnerability. The Bromium Labs team used an unpatched workstation to launch the malware to demonstrate two important parts of the Bromium Secure Platform. First and foremost, it shows how on an unpatched workstation, Bromium did its job by hardware isolating the Microsoft Word document into a protected virtual machine so that the host workstation was never infected. Secondly, it shows the amazing analytics of Bromium to show exactly what the malware was attempting to do.
Let’s start with a summary of the Microsoft Office exploit.
The vulnerability in Microsoft Office was first reported by McAfee in a blog last week, although exploits of the vulnerability date back to late January 2017. This particular exploit works on all versions of Office, which means it is entirely possible that it has existed for years and all the major anti-virus vendors and Microsoft didn’t know. This means that computers all over the world could have been compromised for years. This includes computers that are part of the United States Federal Government with potential national secrets.
What makes this vulnerability even more threatening is the fact it doesn’t follow the trademark behavior of traditional malware. Traditional malware targeting Microsoft Office normally delivers the payload via macros. This exploit uses a vulnerability in Microsoft’s Object Linking and Embedding (OLE) technology. This is an important component of Microsoft Office.
The exploit is delivered by what seems like a normal Microsoft Word document. Once the Word document is launched, a connection is made to a Command and Control server operated by hackers. An HTML file is then downloaded and launched which will give the remote hacker full-control over the workstation. If the exploits works as planned, the original Word document will close and another fake copy of the document is opened. However, at this point the workstation is owned.
Why Bromium customers never felt any impact from this exploit.
It all starts with the fundamental approach Bromium takes to malware. Instead of analyzing each document to see if it is malicious or not, Bromium treats any untrusted document (anything downloaded or received from an untrusted source) as potentially malicious. Instead of opening a Microsoft Word document in the traditional method, Bromium launches a special hardware-isolated virtual machine that launches the Word document. This is important because any malicious code that is executing is happening inside a disposable virtual machine. As soon as the user closes the Word document, any malicious activity or installation of malware is destroyed along with the virtual machine. Because of this game changing technology, Bromium endpoints are not susceptible to zero-day vulnerabilities like this one in Microsoft Office.
In the screenshot below, the live malware that exploits this Microsoft Office vulnerability is launched on the unpatched workstation. The utility on the right titled, “Bromium vSentry Live View” shows all the actively running hardware isolated virtual machines on the workstation. In the case of the malicious Word document, it was placed into “Micro-VM 0033”. Transparent to the user, the Word document resides inside of “Micro-VM 0033” and if any damage is done, it happens inside that virtual machine.
While the Word doc is running in the micro-VM, there is a sophisticated introspection engine that is also looking inside of the virtual machine. This introspection allows Bromium to look at any and all abnormal events that are happening. The added benefit that Bromium delivers over traditional Endpoint Detection and Response (EDR) solutions is there is no additional “noise” confusing the detection of abnormal events. Because “Micro-VM 0033” is only running Microsoft Word, any other applications that cause traditional EDR solutions to produce false positives is weeded out.
When the user closes the micro-VM, a full forensic trace of this attack is available. The capture from the virtual machines shows all changes and accesses to the virtual machine while it is up and running.
The following screenshot shows the detailed trace of this Microsoft Word exploit to include connecting to the Command and Control server.
This most recent exploit further proves that the only viable path forward to ensure your organization is never compromised is to look at protection instead of detection. We’d love to tell you more about virtualization-based security. Contact us for a demo, meeting or both!