- Threat actors are targeting entities in India and Afghanistan using malicious domains with political and government themes.
- A lone wolf threat actor is operating a crimeware campaign to get early access to high-value targets using a front company for future operations or monetary benefit.
- Malicious documents with dcRAT and QuasarRAT delivered CVE-2017-11882 for Windows
- CVE-2017-11882 – Microsoft Office’s memory corruption vulnerability, and AndroidRAT is being used to target mobile devices.
- During the first reconnaissance phase of the attack, the actor additionally employs a custom file enumerator and infector.
CVE-2017-11882 is a memory corruption issue in Microsoft Office that has been there for over 20 years and was just corrected in 2017. However, attackers were detected exploiting the weakness as recently as two years ago, which allowed them to run malicious malware without any user interaction. Researchers have discovered that a “Lone Wolf” APT is using a decades-old Microsoft Office weakness to deploy a flood of commodity RATs to organizations in India and Afghanistan.
CVE-2017-11882– Vulnerability lets the attacker to run arbitrary code in the context of the current user by failing to handle objects in memory correctly, aka “Microsoft Office Memory Corruption Vulnerability”. If the receiver falls for the bait and clicks on the RTF file, it downloads and runs numerous scripts of various types (VBScript, PowerShell, PHP, and others), which then download a backdoor payload. The backdoor payload then attempts to connect to a command-and-control server (which was unavailable at the time Microsoft Security Intelligence issued its warning).
Attackers use domains with a political or governmental administration to deliver the RATs in destructive paperwork by exploiting CVE-2017-11882 as a trap in the marketing campaign. They use out-of-the-box RATs like dcRAT and QuasarRAT for Windows, as well as AndroidRAT, which Cisco Talos released on Tuesday.
Attacker Benefits:
Researchers stated that using commodity RATs allows attackers a wide range of out-of-the-box capabilities including preliminary reconnaissance, unrestricted command execution, and data exfiltration. For a variety of reasons, fraudsters and APTs are increasingly turning to commodity RATs rather than proprietary malware to attack users.
Researchers broke down the attack process and RAT specifics used by attackers in the campaign. The process is of two stages.
Exploiting Stages:
The attack starts with RTF exploiting CVE-2017-11882 in a vulnerable version of Microsoft Office which enables arbitrary code execution and finds every file on an infected endpoint.
Remote shells, process management, file management, keylogging, arbitrary command execution, and credential-stealing are some of the features provided by RATs, which vary depending on the payload. These RATs also have stock features that require very minimal configuration changes to make it customized malware which made attackers use this commodity malware anywhere with ease.
Reconnaissance:
The Attackers use the malicious RTF and execute PowerShell to exploit the Office bug. PowerShell command extracts & executes the next-stage PowerShell script.
Phase1: That script base64 decodes another payload through certutil.exe activates it on the infected endpoint.