An APT described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organisations in India & Afghanistan, researchers have found.
Disguised as an IT firm, the APT is hitting targets in Afghanistan & India, exploiting a 20-year-old+ Microsoft Office bug that is highly potent .
Government-Themed
Attackers use political & government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT & Quasar RAT for Windows & Android RAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.
The threat group – tracked by Cisco Talos from the beginning of the year through the summer – disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers stated.
Memory Corruption
CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as 2 years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.
The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator & infector in the reconnaissance phase of the 2-step attack, followed by a 2nd phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers explained.
Fool Victims
To host the malware payloads, the threat player registered multiple domains with political & government themes used to fool victims, particularly ones linked to diplomatic & humanitarian efforts in Afghanistan to target entities in that country, researchers outlined.
“This campaign is a classic example of an individual threat actor employing political, humanitarian & diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,” Cisco Talos’ Asheer Malhotra wrote in the post.
Out-of-the-Box Benefits
The campaign reflects an increased trend by both cyber-criminals & APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers revealed.
Using commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution & data exfiltration, researchers noted. The RATs also “act as excellent launch pads for deploying additional malware against their victims,” Malhotra wrote.
Custom Malware
Using commodity malware also saves attackers both the time & resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers surmised.
In their post, researchers broke down the 2-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they observed, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution & credential stealing.
Initial Infection & Reconnaissance
The infection chain consists of a reconnaissance phase that starts with malicious RTF documents & PowerShell scripts that ultimately distribute malware to victims.
Specifically, the threat player uses the RTF to exploit the Office bug & execute a malicious PowerShell command that extracts & executes the next-stage PowerShell script. That script then base64 decodes another payload – in the case researchers observed, it was a loader executable & activates it on the infected endpoint, Malhotra wrote.
The loader executable begins by establishing persistence for itself using a shortcut in the current user’s Startup directory & then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code – the previously mentioned custom file enumerator & infector researchers found.
File Enumerator
This C# code – which is the final payload in the reconnaissance phase – contains the file enumerator, which lists specific file types on the endpoint & sends the file paths to the command-&-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.
“These modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,” he wrote.
Attack Phase
Researchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they explained.
To do this, attackers tweaked the reconnaissance process slightly to use the 2nd-stage PowerShell script to create a BAT file on disk, researchers stated. That file, in turn, would execute another PowerShell command to download & activate the RAT payload on the infected endpoint, retrieving it from 1 of the sites attackers set up.
“So far, we’ve observed the delivery of 3 types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, Quasar RAT & a legitimate copy of the remote desktop client AnyDesk,” Malhotra wrote.
Last Payload
The use of the last payload “indicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,” according to the write-up.
The tactics of the APT used in the campaign demonstrate “aggressive proliferation” as the goal, as the use of out-of-the-box malware combined with customised file infections gives them a straightforward point of entry onto a victim’s network, Malhotra observed.
“Organisations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,” he wrote.
However, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/