Windows 10 remote ActiveX control hides hacks

Is a massive malware campaign orchestrated by the Trickbot group in preparation? This is what researchers from the company Bromium and Morphisec fear. They scanned dozens of Word files containing a malicious macro and an image containing encrypted code. This discovered code is a load in JavaScript called Ostap. Going further, Morphisec experts analyzed the same documents and noticed that behind the image was hiding an ActiveX control class in RDP mode (remote): MsRdpClient10NotSafeForScripting

This class was introduced with Windows 10, say the researchers. Attackers use this class to run the malicious macro. ActiveX controls can be added to text and drawing layers in Word documents to make them interactive. Cybercrimels have also managed to hide the Ostap payload in white letters in the content, so that it is invisible to the human eye, but not to the computer.

Another observation is that they did not fill in the “server” field of the MsRdpClient10NotSafeForScripting class, to establish a connection with a remote server (via RDP). This is not an oversight on the part of the attackers, because the returned error allows the malicious code to be executed later, thus avoiding detection. Upon inspecting the macro, the experts discovered that the “_OnDisconnected” function is enabled first, because it needs time to try to resolve the DNS to an empty string and then return an error. If the latter is “disconnectReasonDNSLookupFailed” (260); the wscript command of the Ostap program is concatenated with a combination of characters depending on the error number.