Kaspersky Lab has discovered a feature in document-creation software that has been abused by attackers
Kaspersky Lab experts have discovered a feature in popular document-creation software that has been abused by attackers to launch successful targeted attacks. Using a malicious application that activates when the simple office document is opened, information about the software installed on the victim’s device is sent automatically to the attackers, with no user interaction required.
This data allows attackers to understand what type of exploit they should use in order to hack the targeted device.
It doesn’t matter what device the document is opened on: the attack technique works on both desktop and mobile versions of popular text processing software. Kaspersky Lab has observed this method of profiling used in the wild by at least one cyberespionage actor, which the company’s researchers call FreakyShelly.
Kaspersky Lab has reported the issue to the software vendor, but it has not yet been fully patched.
Some time ago, while investigating FreakyShelly targeted attacks, Kaspersky Lab’s experts detected a spear-phishing mailing of OLE2-format documents (these use Object Linking and Embedding technology that helps apps to create compound documents containing information from various sources, including from the Internet).
A quick preview of the file did not arouse suspicion or mistrust. It included a set of useful tips on how to make the best use of the Google search engine and contained no known exploits or malicious macros. However, a deeper look into the document’s behavior showed that, when opened, the document for some reason sent a specific GET request to an external web-page. The GET request contained information about the browser used on the device, the version of the OS, as well as data on some other software installed on the attacked device. The problem was that this web-page wasn’t something the application should send any requests to at all.
Further Kaspersky Lab research showed that the attack works because of how technical information about elements of the document is processed and stored inside it. Each digital document contains specific meta data about its style, text location and source, where pictures for the document (if there are any) should be taken from, and other parameters.
Once opened, the office application would read these parameters and then build the document using them as a “map”. Based on the results of the investigation by Kaspersky Lab researchers, the parameter that is responsible for pointing to the location of pictures used in the document can be changed by the attackers through sophisticated code manipulations and make the document report to the web-page owned by a threat actor.
“Although this feature doesn’t enable a malware attack, it is dangerous because it can effectively support malicious activity by requiring almost zero-interaction from the user and being able to reach many people around the world, as the affected software is very popular. So far we have seen this feature used in only one instance. However, given the fact that it is really hard to detect, we expect that more cyberthreat actors may start using the technique in the future,” said Alexander Liskin, Heuristic Detection Group Manager, Kaspersky Lab.
Kaspersky Lab products successfully detect and block attacks conducted with help of this technique.
In order to prevent falling victim to such an attack, Kaspersky Lab experts advise users to implement the following practices:
- To avoid opening emails sent from unknown addresses and to avoid opening any attachments to such emails;
- To use proven security solutions capable of detecting such attacks, like Kaspersky Lab protection solutions.
Pingback: c349m8958c34m9rt54e
Pingback: d8xc45m78oe35rm739
Pingback: asdfsdfxcvxxasa
Pingback: xwc34rwxrw34rwc34c
Pingback: cxqw234xracrwcr4
Pingback: xdsffx4crta4rtxa34w
Pingback: uscojufm9r4tue4urtse4
Pingback: Bumpy Beads
Pingback: OnlyFans account
Pingback: outbrain ppc
Pingback: https://www.manytube.net/
Pingback: royal cbd products
Pingback: perfiles hbo
Pingback: canada pharmacy
Pingback: 메리트 카지노
Pingback: 메리트카지노 사이트
Pingback: phim sex online
Pingback: silencil scam
Pingback: xe88 test id 2021
Pingback: promotion malaysia
Pingback: Stansted Airport Brighton transfers
Pingback: sisteme de copiat
Pingback: https://www.bbdcinema.com
Pingback: canadian magic mushrooms
Pingback: Drucker
Pingback: Aaron Lal
Pingback: https://youtu.be/qSE-R_LQJww
Pingback: mega888 latest version apk
Pingback: Full Report
Pingback: download mega888 apk hack
Pingback: Buy Weed Online
Pingback: Dank Vapes
Pingback: young k social media
Pingback: FAMILY GAMES
Pingback: twitter font changer
Pingback: m-wclub365.com/casino/sexy-baccarat
Pingback: bordon
Pingback: cut files
Pingback: phenq italy
Pingback: best cbd for dogs
Pingback: best cbd for dogs
Pingback: اوامر الشبكة
Pingback: Free billing software
Pingback: cbd dog treats
Pingback: buy instagram followers
Pingback: malaysia slot game online
Pingback: xe88
Pingback: compare free alternative task management tools
Pingback: qubittech review
Pingback: https://www.der-ideenhof.de/wie-unterscheidet-sich-die-datenbank-von-lotus-notes-zu-anderen-datenbanken/
Pingback: communication skills course online
Pingback: Thermostat Wearable device
Pingback: https://migrationsprofi.de/
Pingback: Γερμανία
Pingback: kratom powder for sale
Pingback: kratom tea
Pingback: kratom capsules
Pingback: nursing vacancy in kerala
Pingback: reparation volet roulant
Pingback: faberge egg
Pingback: Aaron Lal
Pingback: best cigar prices
Pingback: here
Pingback: sex
Pingback: bitcoin brokers
Pingback: 高品質の人気の服
Pingback: TRADING
Pingback: fluorizzazione torino
Pingback: https://dasvibes.com/discography/gloria-megamix/
Pingback: 샌즈카지노
Pingback: Transsexual Sex
Pingback: jfdbet.blogspot.com/p/4d-result-today-malaysia-toto-lotto.html
Pingback: Like This
Pingback: starting a payment processing company
Pingback: read here
Pingback: check it
Pingback: read more
Pingback: more
Pingback: thedamony
Pingback: click
Pingback: leki na potencję
Pingback: Pat Mesiti
Pingback: Salewa Ultra Trainer Sock Unisex
Pingback: merchant services agent program
Pingback: Glow Smoothie
Pingback: recettes faciles
Pingback: merchant processing sales agent
Pingback: W88vnbet
Pingback: merchant account referral program
Pingback: Airport Eagles customer login
Pingback: laptop disposal
Pingback: laptop recycling
Pingback: สมัคร alpha88
Pingback: بودات
Pingback: эрочат
Pingback: slot online
Pingback: Cialis cena
Pingback: fb88vn
Pingback: CCTV camera installation services
Pingback: old it equipment recycling
Pingback: recycling of computer parts
Pingback: Company Registration Delhi
Pingback: best delta 8 thc gummies
Pingback: bong88link
Pingback: Madres Tulsa
Pingback: Observer
Pingback: Edibles
Pingback: NLP Coach
Pingback: foreclosure fraud
Pingback: weed near me
Pingback: how to buy weed online
Pingback: https://acnebase.com/how-and-what-is-back-acne-and-how-to-treat-it/
Pingback: ag pragmatic play
Pingback: dyson
Pingback: Akun Togel Resmi Dan Terpercaya
Pingback: mesothelioma hotline
Pingback: Michael Wisniewski CT
Pingback: online vitamin supplement herbal store
Pingback: moon rocks
Pingback: Harlequin (High CBD Strain) Wholesale
Pingback: Food license India
Pingback: للبشرة الجافة والعادية
Pingback: Voodoo love spells
Pingback: Appliances
Pingback: https://beegix.com/c/Black_Woman-30/1
Pingback: https://ad.beegix.com/search/romatic
Pingback: vn88bet
Pingback: fun306
Pingback: jbo064
Pingback: sbotop123
Pingback: fb88vn
Pingback: His Secret Obsession
Pingback: gatwick brighton
Pingback: Pat Mesiti
Pingback: Painting company Honolulu
Pingback: Excavating companies Houston
Pingback: ebay competitors
Pingback: best website development company in Delhi
Pingback: https://voyance-amour-belline.com
Pingback: News
Pingback: free email blast
Pingback: SQL Server 2019 Standard 4 core
Pingback: bimbim cam
Pingback: what does full send mean
Pingback: 파워볼전용사이트
Pingback: cpn number tradelines
Pingback: a fantastic read
Pingback: chakala call girls
Pingback: laptop disposal
Pingback: Microsoft Publisher
Pingback: secure pc disposal
Pingback: gay Albanian
Pingback: condonlotto.com
Pingback: สมัครสล็อต
Pingback: spbo live score macau
Pingback: addylotto
Pingback: lotto649pro
Pingback: Kaspersky AntiVirus 10PC 1Rok
Pingback: corporate intelligence services
Pingback: panda boyama
Pingback: radca prawny wikipedia
Pingback: where to print near me
Pingback: selling credit card processing
Pingback: illicit trade investigations
Pingback: how to get a merchant account
Pingback: Louisville Private Investigators
Pingback: missing persons experts
Pingback: How to accept BTC
Pingback: łącznik schodowy
Pingback: ซื้อหวยออนไลน์
Pingback: corporate investigation firms
Pingback: burlington wedding photography
Pingback: Guided-Meditation
Pingback: GTE-Tech-Predictions
Pingback: U.S. citizen missing abroad
Pingback: brighton station to heathrow taxi
Pingback: Diablo 2 Items
Pingback: slot joker
Pingback: 토토먹튀
Pingback: Fencing San Jose
Pingback: GST Registration Alipurduar
Pingback: visit site
Pingback: natvisa
Pingback: mp3juice
Pingback: cleaning services dubai
Pingback: full of shit eyes
Pingback: my response
Pingback: pozycjonowanie
Pingback: #MidnightDateShow
Pingback: learn this here now
Pingback: zobacz wiecej
Pingback: https://m.opennet.ru/docs/FAQ/hardware/pc-hardware-faq-part5.html
Pingback: http://krajowy.biz
Pingback: Concrete company San Jose
Pingback: Concrete company Gonzales
Pingback: Modesto concrete company
Pingback: india
Pingback: login asg55
Pingback: Myntra promo code
Pingback: Glendale painting company
Pingback: yourporn
Pingback: kliktoko
Pingback: NUC
Pingback: travel laptop backpack
Pingback: linked here
Pingback: Bets10 Güvenilir Mi
Pingback: melhor contratipo light blue feminino
Pingback: Poker Öğren
Pingback: Microsoft Project Pro 2019
Pingback: Bets10 Bonuslari
Pingback: 퍼펙트가라오케
Pingback: skyclinic
Pingback: wordpress
Pingback: 먹튀검증
Pingback: Why Moto GP riders wear Nose dilator
Pingback: Yasal Casino
Pingback: krajowy.biz
Pingback: Waterproofing company in UAE
Pingback: اشتراك يوتيوب بريميوم