Targeted Excel Malware Revisited.

Further to our blog last week on targeted attacks exploiting a vulnerability found in a number of Excel versions including  Mac versions, viewers, and the Open XML File Format Converter for Mac.

While we already have a specific detection for the threat we call X97M/TrojanDropper.Agent.NAI, we also have generic detection for the exploit, flagged as X97M/Exploit.CVE-2009-0238.Gen. This detection was released on Friday evening in our update v.3895, and our ThreatSense.Net threat monitoring system is now returning hits on that detection, indicating that (a) the detection works! (b) further attempts to exploit this vulnerability are already appearing, and more can be expected.

Since it rarely hurts to know what you’re dealing with or to diversity your countermeasures, here’s are some further suggestions from the Microsoft advisory about other ways to mitigate the risk:

  • Users without administrative privileges who open a malicious document using this exploit may "be less affected." I’d certainly say that adhering to the "principle of least privilege" – that is, giving end users only the privileges they need to do their work, and no more – may not only mitigate the impact of any threat on their own system, but limit the effectiveness of the attack in reaching other systems and users.
  • An affected file has to be opened to be effective, whether received in email as an attachment or left on a malicious web site. Be cautious and be prepared for social engineering attacks.
  • Microsoft point out that users of the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. I’ve no experience with this tool, but I guess it’s like the "You should only open attachments from a trustworthy source" message in Outlook. Unfortunately, since in a targeted attack the malicious file usually looks as though it is from a trustworthy source, that may not offer much mitigation. Still, I guess it will at least cause a few people to think twice before they go ahead and open it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.