Proofpoint researchers have analysed Microsoft Word Intruder (MWI), a kit designed for building malicious Microsoft Word documents for use in targeted attacks. The most recent iteration of MWI – Version 8 – supports a wide variety of vulnerabilities that actors can exploit via crafted Microsoft Word documents. IT Security Experts from Tripwire and AlienVault commented below, how this attack could be used and what individuals and organisations can do to protect themselves.
Craig Young, Security Researcher at Tripwire:
“Crafted Word documents are probably most often used in phishing campaigns to gain access to a victim’s computer by getting them to open a malicious attachment. Attackers apply social engineering tactics to convince email recipients to open an attachment. Organizations or individuals handling Word documents would probably have a higher risk of being targeted.
It is important to keep Office, Flash, Windows and other software up to date with the latest security fixes and to disable macros in Office. The Microsoft EMET tool can also make it more difficult for attackers to gain code execution through vulnerabilities such as those offered from MWI.
In order to protect yourself, don’t open Word documents that aren’t from trusted sources. If a document must come from an untrusted source, consider using VirusTotal and make sure Word is configured with restrictive settings. It may be advisable to sandbox document viewing through a cloud infrastructure or within a virtual machine.”
Javvad Malik, Security Advocate at AlienVault:
“Microsoft word intruder has been around for a while and version 8 adds to its functionality. We have a pulse in Open Threat Exchange that has a number of indicators to detect its presence https://otx.alienvault.com/pulse/552000a213432a3a1f545b00/ – which is a good way to currently protect users from being victims.
In terms of its use – MWI has always been touted as one of the more targeted tools, marketing itself to the discerning stealth hacker. Or in other words an APT for the masses. In that regard, the tool will likely be used by criminals looking to target specific individuals for specific purposes.”