silversurfer

Level 47
Content Creator
Trusted
Malware Hunter
Verified
The OceanLotus hacking group is back with a new campaign in 2019 complete with new exploits, decoys, and self-extracting malicious archives.

Also known as APT32, SeaLotus, APT-C-00, and Cobalt Kitty, OceanLotus is a hacking group which operates across Asia and focuses on gathering valuable intel on corporate, government, and political entities across Vietnam, the Philippines, Laos, and Cambodia.

Human rights outfits, the media, research institutes, and maritime construction firms are the hackers' preferred targets and past attacks against these types of organizations have been linked to their campaigns.

The threat actors have been leveraging new tactics this year. ESET researchers said in a blog post on Wednesday that of particular interest is the use of publicly-available exploits for a memory corruption vulnerability present in Microsoft Office, CVE-2017-11882, which has been tailored for use in OceanLotus phishing attempts.

OceanLotus begins its infection journey through the use of fraudulent documents and phishing messages that victims find "appealing," according to the team. During phishing, the threat group may also make use of "decoy" documents and images, sent alongside malicious files, to further disguise their true intentions.

These include messages and documents relating to media contact information, rallies, and political events. If a victim is duped and both open up a malicious file and enables macros, this installs a backdoor capable of surveillance and data exfiltration.
 

shmu26

Level 76
Content Creator
Trusted
Verified
the use of publicly-available exploits for a memory corruption vulnerability present in Microsoft Office, CVE-2017-11882,
So this is an unpatched vulnerability in most versions of MS Office?

So this is an unpatched vulnerability in most versions of MS Office?
To answer my own question, no. It was patched over a year ago.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Hard to understand why high-value targets would be using unpatched, vulnerable software. I guess security awareness is pretty low in Southeast Asia.