{"id":4335,"date":"2017-11-25T00:42:00","date_gmt":"2017-11-24T23:42:00","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4335"},"modified":"2017-11-24T19:57:01","modified_gmt":"2017-11-24T18:57:01","slug":"ms-office-build-in-feature-can-be-used-for-replicating-malware","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/11\/25\/ms-office-build-in-feature-can-be-used-for-replicating-malware\/","title":{"rendered":"MS Office Build-In-Feature: Can be used for replicating malware"},"content":{"rendered":"

[German<\/a>]Microsoft Office Build-In features have a vulnerability that allows malware to spread. Microsoft doesn't see any vulnerability – but now a' qkG Ransomware' seems to have emerged that uses exactly this technique. <\/p>\n

<\/p>\n

Security researcher from Trend Micro came across a samples of a file-encoding ransomware variant implemented entirely in VBA macros called qkG (detected by Trend Micro as RANSOM_CRYPTOQKG.A). It's a classic macro malware infecting Microsoft Word's Normal template (normal.dot template) upon which all new, blank Word documents are based.<\/p>\n

The first samples has been uploaded to Virus Total on November 12, 2017. While the rist samples doesn't have had a Bitcoin address, newer samples observed 2 days later came with such addresses and a routine that encrypts a document on a specific day and time. <\/p>\n

qkG is a classic macro malware that infects the standard document template (normal.dot) used by Microsoft Word. If the user creates a new, empty Word document, it is based by default on the normal. dot. In other words: All new empty Word documents are infected with the malware (replicated). <\/p>\n

Trend Micro has documented the whole case within this blog post<\/a>. The Hacker News has been writing<\/a> also about this malware.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft Office Build-In features have a vulnerability that allows malware to spread. Microsoft doesn't see any vulnerability – but now a' qkG Ransomware' seems to have emerged that uses exactly this technique.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,580],"tags":[244,125,69],"class_list":["post-4335","post","type-post","status-publish","format-standard","hentry","category-office","category-security","tag-malware","tag-office","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4335"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4335\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}