A recent investigation by the Acronis Threat Research Unit (TRU) has revealed an intricate attack that used an old version of Microsoft Word as a conduit to install a persistent backdoor on infected systems.
WordDrone focuses on companies in Taiwan, particularly those involved in the drone manufacturing industry. The investigation revealed that the malware had been installed on systems of companies working in Taiwan's growing drone industry, which has seen significant government investment since 2022.
Taiwan's strategic position in both the technology and military sectors likely made these organizations attractive targets for espionage or supply chain attacks.
Microsoft Word Vulnerabilities
Attackers use a technique known as DLL sideloading to install malware via a compromised version of Microsoft Word 2010. It installs three main files on the target system that are a legitimate copy of Winword (Microsoft Word), a wwlib.dll created for malicious purposes. file and a file with a random name and extension.
The legitimate Winword application is used to load the malicious DLL, which serves as a loader for the real payload hidden inside the randomly named encrypted file.
DLL sideloading is a technique that exploits how Windows applications load libraries. In this case, attackers take advantage of an older version of Microsoft Word, which had a vulnerability that allowed it to load a malicious DLL file disguised as a legitimate part of the Microsoft Office installation. The malicious wwlib.dll file acts as a loader, decrypting and executing the actual malware payload hidden in another encrypted file. This use of DLL sideloading makes it difficult for traditional security tools to detect the attack.
The attackers even go so far as to digitally sign some of the malicious DLLs with recently expired certificates. This tactic allows malware to evade detection by security systems that fully trust signed binaries.
Once the attack is triggered, a series of malicious actions unfold. The attack begins with the execution of a stub, which unpacks and autoinjects a component known as install.dll. This component establishes persistence on the target system and initiates the next phase by executing ClientEndPoint.dll, which serves as the core of the backdoor functionality.
After installation, the malware prioritizes maintaining persistence on the infected system and uses the install.dll component to achieve this. This component supports three operating methods: installing the host process as a service, configuring it as a scheduled task, or injecting the next stage without establishing persistence. These options allow the malware to remain active and evade detection, ensuring that it can continue its malicious activities even after the system is rebooted.
The final stage of the attack begins with two important tasks. First, the malware performs NTDLL unhooking, a technique used to remove potential hooks placed by security software. The malware ensures that no hooks can interfere with its malicious operations by loading a fresh instance of the NTDLL library. Second, the malware uses a technique known as EDR silencing to neutralize popular endpoint detection and response (EDR) tools. Scans the list of processes for known security tools and adds blocking rules to Windows Firewall for matches. This effectively disables the security software's ability to detect or prevent further malicious activity.
One of the most sophisticated aspects of the malware is its ability to communicate with a command and control (C2) server. The configuration for C2 communication is built into the malware and is based on a time schedule. An array of bits in the configuration represents each hour of a week, and if a specific hour is marked as active, the malware will attempt to establish a connection to the C2 server.
The malware also supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and WebSocket. Once communication is established, the malware could receive additional commands or payloads from the C2 server. The custom binary format used in the communication made it more difficult to detect and analyze the traffic.
The initial access vector for the attack is still unclear, but researchers noted that the first appearance of malicious files was in the folder of a popular Taiwanese ERP software. This raised the possibility of a supply chain attack, where attackers compromised ERP software to distribute malware.