An actor known as Botnet has developed a new attack vector, which is the use of the Click2Run update mechanism. This isn’t the first time the group has used Click2Run, but before it was not widespread and was an isolated campaign, targeting specific victims. In this campaign, however, the group enlists compromised websites to distribute malicious Office documents that exploit Microsoft Office vulnerabilities. These sites are used to distribute malicious files and click-fraud malware. The scams are aimed at making the victim install fraudulent system utilities (such as PC care apps) or at convincing them to download malware payloads under the guise that they include important software updates or critical security patches),
Botnet has developed a new attack vector, which is the use of the Click2Run update mechanism.
- Botnet operators are using the Click2Run update mechanism to infect users, and it’s enabled by default on versions of Office 2010 SP1 or later.
- Botnets can use Click2Run to download updater files that contain malicious code, which is then executed automatically.
- The attack vector uses a certificate from Microsoft to sign its updates—this makes them appear legitimate and allows them to be installed automatically.
This isn’t the first time the group has used Click2Run, but before it was not widespread and was an isolated campaign, targeting specific victims.
Click2Run is a mechanism for installing updates for office applications. The attackers used it to distribute malicious payloads via Microsoft Office documents. It’s not the first time that Botnet has used Click2Run, but before it was not widespread and was an isolated campaign targeting specific victims.
The attackers gained access to victims’ systems using the CVE-2016-3298 exploit and exploited it again with CVE-2018-8174 malware leveraging the RTF vulnerability (also known as “Spectre”) found in earlier versions of Word, Excel and PowerPoint. The malware would then download additional files from a remote server: either banking Trojans or cryptocurrency miners (such as MinerGate).
In this campaign, however, the group enlists compromised websites to distribute malicious Office documents that exploit Microsoft Office vulnerabilities.
In this campaign, however, the group enlists compromised websites to distribute malicious Office documents that exploit Microsoft Office vulnerabilities.
The malware is distributed via a slew of compromised websites and fake online stores. The attacker uses Click2Run to deliver the payloads. A significant number of these compromised sites are hosted in South Africa, but others are hosted in the United States, Germany, Australia and New Zealand.
The attackers have been active since at least August 2018.
The latest attack was launched by an actor known as “Botnet” and is sustained by a slew of compromised websites.
The latest attack was launched by an actor known as “Botnet” and is sustained by a slew of compromised websites. It uses Office documents with embedded malicious macros to download a dropper component, which in turn downloads and executes the final payload. The campaign leverages Click2Run to install the malicious payload.
The initial infection vector includes email messages that contain a Microsoft Word document with an attached macro-enabled file (Figure 1). If the victim clicks on “Enable Editing Mode” in order to enable editing for the document, this will start running the malicious macro code inside it. Upon execution of this code, several PowerShell commands are executed to download additional files from remote locations over HTTP/HTTPS protocols (Figure 2). These include an executable file (.exe) file embedded at offset 0x40400000 within one of these downloaded ZIP archives and two other files named $O1$#$O2$#$O3$#$O4$.
These sites are used to distribute malicious files and click-fraud malware.
The sites are used to distribute malicious files and click-fraud malware. The Botnet has developed new attack vectors, which include distributing files through web pages.
The scams are aimed at making the victim install fraudulent system utilities (such as PC care apps) or at convincing them to download malware payloads, under the guise that they include important software updates or critical security patches.
The scams are aimed at making the victim install fraudulent system utilities (such as PC care apps) or at convincing them to download malware payloads, under the guise that they include important software updates or critical security patches.
The latest attack was launched by an actor known as “Botnet” and targeted Windows users via Facebook Messenger. The malicious messages contained thumbnails of a video depicting a woman wearing a swimsuit, with titles such as: “I got your photos!” The link would infect the victim’s machine with malware if clicked on by clicking on the thumbnail image.
Malicious office documents and fake software update sites are not new tricks, but what makes this campaign stand out from other phishing campaigns is that it uses the Click2Run mechanism for Office 2010 SP1 or later to run the malicious payloads with an embedded certificate from Microsoft.
Malicious office documents and fake software update sites are not new tricks, but what makes this campaign stand out from other phishing campaigns is that it uses the Click2Run mechanism for Office 2010 SP1 or later to run the malicious payloads with an embedded certificate from Microsoft.
Click2Run is a mechanism that Microsoft uses to update Office applications without requiring users to download the updates. With this tool, users can install updates without rebooting their computer or even closing their application first. This allows attackers to target victims who don’t have administrative privileges on their computers because they rely on Click2Run instead of running scripts or dropping malware directly into Windows folders as most traditional attacks do.
Conclusion
The Click2Run mechanism has been used by several actors in the past, but this is the first time we have seen it used by Botnet. In addition to using fake websites to distribute malicious Office documents, the group also uses compromised websites for click fraud and adware distribution.