The Hidden Dangers of Remote Code Execution (RCE) Exploits in Word Documents


Icon of a Word document

Remote code execution (RCE) attacks within Word documents have long been a part of the attacker’s arsenal. Their prevalence stems from a widespread misconception: many users perceive Word documents as inherently safe. This assumption is primarily based on these files’ familiar and seemingly innocuous nature. Over the years, countless individuals and organizations have been conditioned to download, share, and open documents without giving them a second thought, often regardless of the source. This behavior provides an ideal environment for cybercriminals to exploit.

This trust in Word documents, however benign it might appear, masks a significant security threat. For instance, a recently unearthed RCE exploit is currently being used in cyber attacks. This latest iteration is particularly nefarious, leveraging known vulnerabilities in the Word application to surreptitiously introduce a malicious payload onto the target system. The payload is none other than LokiBot or Loki PWS, a notorious information-stealing malware.

For the unsuspecting user, the consequences of such an attack can be profound. Information like login credentials, personal data, and sensitive organizational details can be harvested by LokiBot, leading to financial losses, identity theft, or even corporate espionage. It underscores the necessity of always treating documents, and indeed any files from the internet, with caution and verifying their source before opening.

RCE: An Old Attack with New Tricks

It’s not that this attack is entirely novel. It uses a payload that has been around for some time. Attackers commonly recycle old attacks because they are still effective. By repurposing a familiar payload combined with a new exploit or wrapper, the attack is virtually new again, allowing it to circumvent defenses such as antivirus (AV) that may already recognize it

In this case, the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to execute the Lokibot payload. This technique uses a relationship in the Word doc pointing to a malicious HTML that downloads the malware and uses a VB injector to decrypt and execute the payload. As this attack uses an encrypted payload, its hash does not match previous attacks, becoming undetectable to many AV products. 

Stopping LokiBot the Hard Way

Companies are not without solutions to protect against LokiBot and other similar threats. Training workers to exercise caution when opening and downloading files from email or the internet is helpful, but employees are not perfect. When mistakes happen, and they will, the same threats launch. Any approach that relies on users to take action only reduces the probability of these attacks executing. 

Similarly, antivirus (AV) software and email filtering help detect and prevent some threats early on. However, knowing that these measures might not always identify zero-day attacks or newly-emerging malware is essential. 

Regularly updating software and operating systems is crucial since patches often contain fixes for vulnerabilities that malware like LokiBot might exploit. While this is effective for known threats, novel and zero-day threats may still pose a security risk to your organization’s security. 

Lastly, to further safeguard against specific delivery methods used by LokiBot, disabling macros in Microsoft Word can stop this threat. Of course, by doing so, many files lose their usefulness as macros often provide business critical functions in these files. 

CDR Simply Stops Hidden Threats

There is no need for complicated one-off fixes or accepting exposure until a patch arrives. There is a solution in Content Disarm and Reconstruction (CDR). CDR addresses hidden threats in files by reconstructing them using only verified safe components. This process ensures that files are free from potentially malicious code, making them safe to access.

Combatting This Cyber Threat

The Follina attack pattern is not new to security circles. Only this latest revision is unique, helping it circumvent existing AV solutions. For CDR solutions, this is not an uncommon problem to face or challenging to overcome. CDR works on rebuilding files from only known-safe components, eliminating hidden threats rather than relying solely on detection capabilities to find the threat. The most advanced CDR solutions can address more comprehensive arrays of files and recreate them with higher fidelity as they have more advanced definitions of what is considered safe, allowing files to be rebuilt to be indistinguishable from the original without hidden threats. 

With CDR, the external malicious link is not flagged as a safe portion of the file and will not be included in the rebuild. Even though other factors have changed, the CDR mechanism only focuses on differentiating what is known to be safe. CDR ensures the integrity of the file without compromising its functionality by eliminating ambiguous or potentially harmful components and only retaining those that are verified to be safe. This methodology starkly contrasts traditional AV solutions, which often operate on signature-based detections and can be bypassed with slight modifications in the malware code. The inherent strength of CDR lies in its ability to strip files down to their most basic and secure elements, then reconstruct them without any of the vulnerabilities, while also keeping usability intact.

Continuous Protection from Malicious Files

Another key to preventing concealed threats in files is ensuring automatic protection for all content. Solutions that rely on user actions are vulnerable to lapses, as users might be too preoccupied, forgetful, or neglectful to follow through. Advanced CDR solutions address this by offering an API, allowing various applications and services to integrate seamlessly. This ensures, for instance, that all email traffic is sanitized through the API as it comes in.

This approach adopts a Zero Trust methodology for sanitization, meaning that no files are trusted as safe before they enter the network. The most advanced CDR solutions leverage a combination of detection, disarming, and analysis: 

  1. Detect: Initially, all files are scanned for familiar hidden threats using conventional AV tools. 
  2. Disarm: Recognizing that AV isn’t foolproof, CDR sanitizes files from any source upon arrival, reconstructing them into safe, usable versions using their known safe elements. This process ensures that end-users never bypass the safety step, guaranteeing consistent threat removal. 
  3. Analyze: This is further corroborated by comprehensive analysis, which includes AV signatures that recursively highlight the zero-day threats previously neutralized by CDR.

Votiro Stops Hidden Threats in Files

Votiro is a category leader in CDR. Our advanced solution guarantees immediate value and a tangible return on investment and shields clients from concealed threats. Additionally, our flexible scaling allows customers to adjust processing bandwidth according to their needs, ensuring consistent satisfaction.

Votiro’s CDR protection, anchored on an API-focused solution, easily integrates with current business processes, providing instant defense against cyber threats. With notably quick implementation for both SaaS and on-prem deployments, Votiro users gain immediate sanitization and protection..

Contact us today to learn how Votiro sets the bar to prevent new and existing hidden threats in files so that your employees and systems remain secure while maintaining productivity. And if you’re ready to try Votiro, start today with a free 30-day trial.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.