An Advanced Persistent Threat (APT) described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity Remote Access Trojans (RATs) to organizations in India and Afghanistan, researchers have found.
Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882.
CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as two years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.
The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.
To host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.
“This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,”
https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/
It really is so important to patch your systems in a timely manner. I also find it fascinating that this specific vulnerability was able to go 20 years without being discovered or patched. It really makes you wonder what other vulnerabilities are still undiscovered that could be exploited.