Advertisement

News

There are fake Word docs going around that contain almost undetectable malware

Patrick Devaney

Published

Another malware scam has popped up that is hiding malicious files inside of seemingly legitimate files. Also, in a callback to the fake job offers that contained malware, which we reported on a while back, this scam is hidden inside infected Microsoft Word docs that are pretending to be legitimate CVs. Here is what you need to look out for.

Microsoft Word Download Now

Researchers at threat intelligence specialists Unit 42 based at Palo Alto Networks first spotted a threat back in May and have since been analyzing and breaking down the threat it represents. They say that the malicious payload was created using a tool called Bruce Ratel (BRC4), which incredibly has its own website where it is sold. The site describes the tool as, “A Customized Command and Control Center for Red Team and Adversary Simulation.”

There are fake Word docs going around that contain almost undetectable malware

This particular scam starts with a seemingly innocuous CV of a guy named Roshan Bandara. Straight away though, there are warning signs that should make potential victims stop and think. Unusually, the CV comes in the form of an ISO file, which is a disk image file and it is only after users have clicked on it that they can see the fake Word doc with the title “Roshan-Bandara_CV_Dialog”. When users click on this it opens up CMD.EXE and runs the OneDrive updater to retrieve and install BRC4.

BRC4 then goes on to perform many malicious actions on the victim’s devices, which anybody who has read our malware reports before will be familiar with. For Unit 42, however, what is most eye-catching about this form of attack is the method used to pull it off, they say:

“This tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

This means that this new threat is able to get past over 50 different antivirus programs undetected, meaning you won’t get any sort of automated warning if it gets onto or near your device. You will be your main line of defense against this threat as most antivirus programs won’t even know it is there. To help you stay safe we have put together an infographic to help you spot fake files like this one.

Image via: Unit 42

You may also like

  1. Malicious RTF files could gain access to your PC via Microsoft Word

    Malicious RTF files could gain access to your PC via Microsoft Word

    Read more
  2. Microsoft Word Review | Word processing power

    Microsoft Word Review | Word processing power

    Read more
  3. What is Word, and how it works

    What is Word, and how it works

    Read more