Showing posts from January, 2018

Word add-in persistence found in the wild

Word add-in persistence found in the wild @Blu3_team @Malwareparty 20180106 @Malwareparty found another interesting sample using the %temp% known file location for embedded packages but this one works differently. The sample uses CVE-2017-11882 for the exploit and you can see the decoded portion of the command. Functionally the is present in the %temp% location but it is also copied to "%APPDATA%\Microsoft\word\startup\w.wll". We don't understand if this is part of the exploit functionality or the packager functionality yet. The sample does not run when viewing the document so we looked at the Word startup location and WLL files and found that they are for Word add-in functionality. A quick test verified that the w.wll file executes at the next start of the Word application which provides a great method of persistence that we have not seen before. From there the malware executes conventionally dropping two executables and beacons over port 44