Phishing Campaigns Utilising OLE Malware

Microsoft warned of malware authors who are using its legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Speaking about how phishers will use Office capabilities such as OLE and Macros, Jon French, security analyst of AppRiver, explains in detail below.

Jon French, Security Analyst at AppRiver:

“Macro and object linking and embedding (OLE) malware, especially in the world of business, is dangerous since handling documents is a normal day-to-day task for most people. A user being given the power to run a malicious macro or open a bad OLE is the default permission on Windows’ machines.”

Turning attention to Macros and the addition of OLE malware specifically, Jon adds, “Malicious macros are nothing new these days. They’ve been around for years and will likely be staying for years to come. Macros themselves aren’t the enemy though, and in fact can be a very powerful tool to help users automate complex tasks within a document. However, malware authors use the macro power for evil by creating bits of code that can download and execute malicious files when the documents are run on a victim’s machine. Macros are disabled by default in Office products these days, but unfortunately users still get a pop up asking them if they want to run the macro. Since most users don’t know what this means and the document often says they need to run the macro to see the actual content, people end up clicking enable and it goes downhill from there.

“While OLE’s aren’t new, being used for malicious purposes is a recent development. Many times they are formatted similar to the Macro documents saying you need to click something to see the content, but you don’t get the macro warning banner when opening the file. As with macros, this is supported both in Excel and Word as well.

“The benefit for an attacker using OLE’s is that the payload is contained as an OLE object inside the document itself. While with most macro malware, the macro reaches out to a server on the internet, downloads the payload, and then executes it. So OLE malware is an all in one package for delivery. They can set the object to execute or run whatever file they please as well (exe, vbs, js, etc).

“Many antivirus (AV) engines are capable of detecting these types of threats and blocking them. But as with all other types of malware, the authors are constantly trying to find ways to bypass any sort of filtering or detection solutions.

“These days it may be worth IT departments to look in to enforcing these blocks. With document malware like this being likely to stay around, disabling these mostly unused features just adds another layer of security.

“For home users, vigilance is key and don’t click on anything that doesn’t come from a recognised or trusted source.”