McAfee began working with Microsoft in November 2013 after spotting the exploit in the Middle East and Asia being used to steal sensitive data. The malware, CVE-2013-3906, locates and exfiltrates specific file types once it enters a user’s environment. The attacks were targeted at high-level institutions, including the Pakistani military, McAfee said. The company has since recorded 500 samples of the malware covering 60 unique variants.
The zero-day vulnerability was not known to the software’s developers before the attacks took place. Microsoft released a patch for the exploit in December. McAfee has also updated its products accordingly.
First introduced in Microsoft Office 2007, the .docx (Open XML) format has generally been considered safe.
“This element of surprise could be the major reason no one had detected the threat: Because .docx files were not considered vulnerable, they were not executed in a sandbox environment,” McAfee wrote in the report.
McAfee is particularly concerned because the exploit and its proof-of-concept have been fully documented, “making it dramatically simpler for other actors to incorporate the exploit into new attacks, exploit kits, and the like.”
The malware also demonstrated a new technique for spreading the infection. CVE-2013-3906 performs a modified version of “heap spraying” in which a malware payload injects code into a “predictable and relocatable” part of the software’s memory. Invading the memory may allow the malicious code to take the place of another process within the software, potentially gaining control of the system. Previous heap spraying attacks entered Microsoft Office via Flash Player, but this most recent attack exploited ActiveX controls. The .docx attack was also able to infect the computer without scripting (executing commands without the user ordering them), which Microsoft Office 2007 and later blocks.
McAfee’s Fourth Quarter 2013 threat report also details increasing threats to malicious application signatures, growing mobile malware and rising cybercrime at point-of-sale terminals.
McAfee announced in January that it will rebrand as Intel Security, taking on the moniker of its parent company Intel Corporation [INTC].