Threat actors take advantage of the remote desktop ActiveX control in Word documents to automatically execute on Windows 10 a malware downloader called OSTAP as part of a TrickBot malware campaign.
Morphisec Labs researchers say that over the past few weeks they have discovered a couple dozen documents that execute the OSTAP javascript downloader. The OSTAP downloader is delivered via phishing emails masquerading as notifications of a missing payment. The massage contains a weaponized Word document with a malicious macro and an image designed to convince targets to enable the content. However, below the image was also hidden an ActiveX control. The OSTAP downloader is concealed in white text so it's invisible to human eye, but can be read by machines. The researchers say this technique will work only on Windows 10 devices.
Further analysis revealed the use of the MsRdpClient10NotSafeForScripting class, which is used for remote control. The Server field is empty in the script, which will later cause an error that the attackers will actually abuse to properly execute their own code.
When analyzing the macro, researchers discovered an interesting trigger method - “_OnDisconnected”, which will be the main function that is first executed. However, this function acts as a trigger only if error returned for failing to connect to non-existent server.
“The OSTAP will not execute unless the error number matches exactly to "disconnectReasonDNSLookupFailed" (260); the OSTAP wscript command is concatenated with a combination of characters that are dependent on the error number calculation,” the researchers explain.
When OSTAP is created in the form of a BAT file, this file is executed, and the word document form is closed.
“The BAT will execute wscript back with its own content -- an old trick using comments that the BAT will disregard during the execution of wscript (non-recognized command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax),” Morphisec says.
More details as well as hashes related to observed campaign are available in Morphisec’s report.