A group of cybercriminals are using ActiveX remote control in Word documents to automatically run malware in Windows 10, Ostap, recently adopted by the Trickbot team.
This class was introduced with Windows 10, say the researchers. Attackers use this class to run the malicious macro. ActiveX controls can be added to text and drawing layers in Word documents to make them interactive. Cybercrimels have also managed to hide the Ostap payload in white letters in the content, so that it is invisible to the human eye, but not to the computer.
Another observation is that they did not fill in the “server” field of the MsRdpClient10NotSafeForScripting class, to establish a connection with a remote server (via RDP). This is not an oversight on the part of the attackers, because the returned error allows the malicious code to be executed later, thus avoiding detection. Upon inspecting the macro, the experts discovered that the “_OnDisconnected” function is enabled first, because it needs time to try to resolve the DNS to an empty string and then return an error. If the latter is “disconnectReasonDNSLookupFailed” (260); the wscript command of the Ostap program is concatenated with a combination of characters depending on the error number.