A recent investigation by Acronis Threat Research Unit (TRU) has revealed an intricate attack which utilized an old version of Microsoft Word as a conduit for installing a persistent backdoor on infected systems.
WordDrone focuses on companies in Taiwan, particularly those involved in the drone manufacturing industry. The investigation revealed that the malware had been installed on systems in companies working in Taiwan’s growing drone industry, which has seen significant government investment since 2022.
Taiwan’s strategic position in both the technological and military sectors likely made these organizations attractive targets for espionage or supply chain attacks.
Microsoft Word vulnerabilities
The attackers use a technique known as DLL side-loading to install malware through a compromised version of Microsoft Word 2010. It installs three primary files to the target system which are a legitimate copy of Winword (Microsoft Word), a maliciously crafted wwlib.dll file, and a file with a random name and extension.
The legitimate Winword application is used to side-load the malicious DLL, which serves as a loader for the actual payload hidden within the encrypted random-named file.
DLL side-loading is a technique that exploits how Windows applications load libraries. In this case, the attackers take advantage of an older version of Microsoft Word, which had a vulnerability allowing it to load a malicious DLL file disguised as a legitimate part of the Microsoft Office installation. The malicious wwlib.dll file acts as a loader, decrypting and executing the actual malware payload hidden in another encrypted file. This use of DLL side-loading makes it difficult for traditional security tools to detect the attack.
The attackers go as far as digitally signing some of the malicious DLLs with certificates that had only recently expired. This tactic allows the malware to evade detection by security systems that fully trust signed binaries.
Once the attack is triggered, a series of malicious actions unfold. The attack begins with the execution of a shellcode stub, which decompresses and self-injects a component known as install.dll. This component establishes persistence on the target system and initiates the next phase by executing ClientEndPoint.dll, which serves as the core of the backdoor functionality.
After installation, the malware prioritizes maintaining persistence on the infected system, utilizing the install.dll component to achieve this. This component supports three operational methods: installing the host process as a service, setting it up as a scheduled task, or injecting the next stage without establishing persistence. These options allow the malware to remain active and evade detection, ensuring it can continue its malicious activities even after the system reboots.
The final stage of the attack begins with two important tasks. First, the malware performs NTDLL unhooking, a technique used to remove potential hooks placed by security software. The malware ensures that no hooks can interfere with its malicious operations by loading a fresh instance of the NTDLL library. Second, the malware uses a technique known as EDR silencing to neutralize popular Endpoint Detection and Response (EDR) tools. It scans the process list for known security tools and adds blocking rules to the Windows Firewall for any matches. This effectively disables the ability of security software to detect or prevent further malicious activity.
One of the more sophisticated aspects of the malware is its ability to communicate with a Command-and-Control (C2) server. The configuration for C2 communication is embedded in the malware and it’s based on a time-based schedule. A bit array in the configuration represents every hour in a week, and if a specific hour is marked as active, the malware would attempt to establish a connection with the C2 server.
The malware also supports multiple protocols for communication, including TCP, TLS, HTTP, HTTPS, and WebSocket. Once communication is established, the malware could receive additional commands or payloads from the C2 server. The custom binary format used in the communication made it more difficult to detect and analyze the traffic.
The initial access vector for the attack remains unclear, but investigators noted that the first appearance of malicious files was in the folder of a popular Taiwanese ERP software. This raised the possibility of a supply chain attack, where the attackers compromised the ERP software to distribute the malware.
