Iranian Cyberspies Exploit Recently Patched Office Flaw

A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.

The threat actor, tracked as APT34 by FireEye and OilRig by other companies, has been active since at least 2014, targeting organizations in the financial, government, energy, telecoms and chemical sectors, particularly in the Middle East.

Back in April, researchers noticed that APT34 had started exploiting an Office vulnerability (CVE-2017-0199) in attacks aimed at Israeli organizations shortly after Microsoft released a patch.

The cyberspies have now also started leveraging CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14. FireEye said it had spotted an attack exploiting this flaw less than a week after the fix was released.

The remote code execution vulnerability affects the Equation Editor (EQNEDT32.EXE) component of Office and it has been around for 17 years. Some believe Microsoft may have addressed the security hole by directly modifying the executable, suggesting that the company may have lost its source code.

Proof-of-concept (PoC) exploits were made available for CVE-2017-11882 shortly after Microsoft released a patch and, in late November, researchers reported that a cybercrime group tracked as Cobalt had started exploiting the vulnerability.

However, FireEye saw the first attempt to exploit CVE-2017-11882 less than a week after Microsoft released a fix. The attack was aimed at a government organization in the Middle East.

In July 2017, FireEye observed an APT34 attack using CVE-2017-0199 to deliver a backdoor tracked by the company as POWRUNER, and a downloader with DGA (domain generation algorithm) functionality named BONDUPDATER. In November, the group switched to using CVE-2017-11882 to deliver these PowerShell-based pieces of malware.

The attackers used specially crafted RTF documents delivered to targeted users via spear phishing emails. When opened, the file triggers the Office vulnerability and initiates an infection process that ends with the execution of the backdoor and the downloader.

POWRUNER allows attackers to collect information about the infected machine, download and upload files, and capture screenshots. Once it receives commands from its command and control (C&C) server, the malware stops running.

The BONDUPDATER downloader is APT34’s first attempt at implementing a DGA for generating subdomains that are used for C&C communications.

“We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursuing strategies to deter detection,” FireEye said in a blog post. “We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.”

This is not the first time FireEye has analyzed APT34’s activities. In May 2016, the security firm published a report detailing some of its attacks on banks in the Middle East, but at the time it did not attribute the operation to any group.

Palo Alto Networks reported in October that OilRig had started using a new Trojan in attacks aimed at entities in the Middle East.

Related: HBO Hacker Linked to Iranian Spy Group