Geriatric Microsoft Bug Exploited by APT Using Commodity RATs


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
An APT described as a “Lone Wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.

Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.

The threat group – tracked by Cisco Talos from the beginning of the year through the summer – disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as two years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.

To host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.

“This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,” Cisco Talos’ Asheer Malhotra wrote in the post.