{"id":98,"date":"2021-10-20T22:05:59","date_gmt":"2021-10-21T02:05:59","guid":{"rendered":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/?p=98"},"modified":"2021-10-20T22:05:59","modified_gmt":"2021-10-21T02:05:59","slug":"geriatric-microsoft-bug-exploited-by-apt-using-commodity-rats","status":"publish","type":"post","link":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/2021\/10\/20\/geriatric-microsoft-bug-exploited-by-apt-using-commodity-rats\/","title":{"rendered":"Geriatric Microsoft Bug Exploited by APT Using Commodity RATs"},"content":{"rendered":"<p>An Advanced Persistent Threat (APT) described as a \u201clone wolf\u201d is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity Remote Access Trojans (RATs) to organizations in India and Afghanistan, researchers have found.<\/p>\n<p>Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and <a href=\"https:\/\/threatpost.com\/apt-exploits-zerologon-targets-japanese-companies\/161383\/\" target=\"_blank\" rel=\"noopener\">QuasarRAT<\/a> for Windows and AndroidRAT. They\u2019re delivering the RATs in malicious documents by exploiting <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-us\/vulnerability\/CVE-2017-11882\" target=\"_blank\" rel=\"noopener\">CVE-2017-11882<\/a>.<\/p>\n<p>CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company <a href=\"https:\/\/threatpost.com\/microsoft-patches-17-year-old-office-bug\/128904\/\" target=\"_blank\" rel=\"noopener\">patched it<\/a> in 2017. However, as recently <a href=\"https:\/\/threatpost.com\/microsoft-arbitrary-code-execution-old-bug\/145527\/\" target=\"_blank\" rel=\"noopener\">as two years ago<\/a>, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.<\/p>\n<p>The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.<\/p>\n<p>To host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.<\/p>\n<p>\u201cThis campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims\u201d \u2013 in this case, RATs \u201cpacked with multiple functionalities to achieve complete control over the victim\u2019s endpoint,\u201d<\/p>\n<p>https:\/\/threatpost.com\/apt-commodity-rats-microsoft-bug\/175601\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An Advanced Persistent Threat (APT) described as a \u201clone wolf\u201d is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity Remote Access Trojans (RATs) to organizations in India and Afghanistan, researchers have found. Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs [&hellip;]<\/p>\n","protected":false},"author":26648,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-98","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorized","7":"entry"},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/users\/26648"}],"replies":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":1,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":99,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/posts\/98\/revisions\/99"}],"wp:attachment":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec002fall2021\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}