The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

As you may already know, a macro is a series of commands to automate a repeated task and that can be executed when you have to perform the specific task. These macros can be used for malicious purposes and do not need to be manually enabled to view or edit a file.

Using macros, cybercriminals will try to trick unsuspecting users into enabling macros and then use that functionality as part of the attack.

This move is an attempt by the company to counter a spike in ransomware and other malware variants infections that abuse Excel 4.0 macros as part of an initial infection. Hackers, mainly nation-state sponsored groups, began experimenting with legacy Excel 4.0 macros in response to Microsoft’s 2018 crackdown on macro scripts written in VBA.

Previously, Excel Trust Center configurations were aimed at organizations that wanted VBA and legacy macros to run through the “Enable Excel 4.0 macros when VBA macros are enabled” setting, thus allowing administrators to control macro behavior without affecting VBA macros.

Macros are now disabled by default in Excel, including builds 16.0.14427.10000 and later. Users will also be able to modify settings in the Microsoft 365 app policy control.

In addition to these settings, Microsoft added the option to manage policy settings in the Office Cloud Policy Service, which applies to users who access Office applications from any device using Active Azure Directory accounts.

Finally, to block XLM across the board, administrators can configure Group Policy to prevent Excel from running XLM. Implementing these measures should help administrators mitigate VBA and XLM malware threats through the policy.

Microsoft addressed the antivirus aspect of defense through an integration between Antimalware Scan Interface (AMSI) and Office 365 for additional protection of antivirus solutions.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Microsoft to turn off macros en Excel 4.0 by default to protect users from ransomware attacks appeared first on Information Security Newspaper | Hacking News.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you a simple method to manually verify any suspicious documents and check if it is loaded with malware.

Broadly speaking, all file analysis techniques include the following elements:

• Check the document for dangerous tags and scripts
• Detect online code like shellcode, VBA macro, Javascript, Powershell and more
• Extract the suspicious code or object from the file
• If possible, delete the extracted code (although, with a very high degree of probability, the obfuscated code is harmful)

 Tools for analyzing Microsoft Office files

Oletools: This is a powerful Python toolkit for analyzing Microsoft OLE2 files, primarily Microsoft Office documents such as Word or Power Point files, mentioned by digital forensics experts.

For installation on Linux, simply run the following command:

sudo -H pip install -U oletools

On the other hand, if you want to install the tool on Windows systems, you must use the following command:

pip install -U oletools

In this package you can find many other tools, including:

• mraptor
• olebrowse
• oledir
• oleid
• olemap
• olemeta
• oleobj
• oletimes
• olevba
• pyxswf
• rtfobj

PCODEDMP: This is a document Pi code disassembler (essentially a shell code). Digital forensic experts mention that this tool requires oletooles to function properly.  

PDF analysis tools

PDF Stream Dumper: This is a Windows GUI utility for PDF analysis very popular among the cybersecurity specialists community.

PDF-parser: Using this tool allows digital forensic experts to extract individual elements from a PDF file, such as headers, links, and more, for detailed analysis.

PDFID: PDFID lists all objects in the scanned PDF file.

PEEPDF: This is a pretty powerful analysis framework that includes shellcode search, Javascript and more. PEEPDF is enabled by default in Kali Linux.

PDFxray: This tool has most of the necessary utilities in the form of separate Python scripts, but requires many dependencies, mentioned by digital forensic experts.

What should we look for when analyzing a PDF document?

First, digital forensic specialists recommend looking for the following parameters:

• /OpenAction and /AA, as they can run scripts automatically
• /JavaScript and /JS respectively run js
• /GoTo, since this action changes the visible page of the file, can automatically open and redirect to other PDF files
• /Launch is able to start a program or open a document
• /SubmitForm and /GoToR can send data by URL
• /RichMedia can be used to embed flash
• /ObjStm can hide objects

It is rare to find clean and non-merged code into malicious PDF files. The simplest types of obfuscation are HEX encoding such as /J s 61vaScript instead of /Javascript and line breaks:

/Ja\[/SIZE][/SIZE][/SIZE][/SIZE]
[SIZE=6][SIZE=4][SIZE=6][SIZE=4] vascr\
 Ipt

Security test

In this step, we will use a document loaded with malware to exploit the flaw tracked as CVE-2017-11882.

Let’s review the VBA scripts:

olevba exploit.doc

Immediately we will find tons of VBA script lines, and in the end they also show what it does. The next test is to analyze a PDF file using PDFID to view all the objects in the file.

As shown below, the PDF file contains /ObjStm objects. To ensure that they do not negatively impact our systems, we can extract these objects from the file and consider them separately using PDF-parser.

To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.

The post How to easily check if DOC, RTF, XLS, PPT, PPTX or PDF file has a malware without antivirus like a digital forensics expert appeared first on Information Security Newspaper | Hacking News.

Power Query enables Excel users to embed external data sources in Office service worksheets. The security firm raised an attack method to launch a remote DDE (Dynamic Data Exchange) attack against a spreadsheet to deliver a malicious payload and control it through the compromised function.

According to information security audit specialists, Power Query could also serve to launch complex and hard-to-detect attacks by combining several vulnerable vectors. By exploiting this feature, hackers could attach malware to a data source outside Excel and load the content into the spreadsheet when the user opens it.

Experts mention that Microsoft collaborated with them in the process of disclosing the flaw; however, the company has decided not to release a fix for this vulnerability. Instead of fixing the bug with a patch, Microsoft suggests to users an alternative method to mitigate risks that involves spreading a security alert for application protection when using the DDE feature.

One of the possible attack vectors begins with hackers hosting an external web page on an HTTP server containing the malicious payload that will be delivered to the spreadsheet. “The HTTP server listened locally on port 80 and served DDE content in response when a spreadsheet request was received,” information security audit experts said.

If the user chooses to allow external data to be loaded into the Excel worksheet cell, the attack begins. According to the experts of the International Institute of Cyber Security (IICS), to make the DDE run, the user must double-click the cell that loads the DDE and then click again to release the load. Those operations will activate the DDE and launch the payload that was received from the attacker.

The post You can hack banks with this Microsoft Excel attack appeared first on Information Security Newspaper | Hacking News.