Connect with us

Hi, what are you looking for?



Iranian Cyberspies Exploit Recently Patched Office Flaw

A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.

A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.

The threat actor, tracked as APT34 by FireEye and OilRig by other companies, has been active since at least 2014, targeting organizations in the financial, government, energy, telecoms and chemical sectors, particularly in the Middle East.

Back in April, researchers noticed that APT34 had started exploiting an Office vulnerability (CVE-2017-0199) in attacks aimed at Israeli organizations shortly after Microsoft released a patch.

The cyberspies have now also started leveraging CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14. FireEye said it had spotted an attack exploiting this flaw less than a week after the fix was released.

The remote code execution vulnerability affects the Equation Editor (EQNEDT32.EXE) component of Office and it has been around for 17 years. Some believe Microsoft may have addressed the security hole by directly modifying the executable, suggesting that the company may have lost its source code.

Proof-of-concept (PoC) exploits were made available for CVE-2017-11882 shortly after Microsoft released a patch and, in late November, researchers reported that a cybercrime group tracked as Cobalt had started exploiting the vulnerability.

However, FireEye saw the first attempt to exploit CVE-2017-11882 less than a week after Microsoft released a fix. The attack was aimed at a government organization in the Middle East.

Advertisement. Scroll to continue reading.

In July 2017, FireEye observed an APT34 attack using CVE-2017-0199 to deliver a backdoor tracked by the company as POWRUNER, and a downloader with DGA (domain generation algorithm) functionality named BONDUPDATER. In November, the group switched to using CVE-2017-11882 to deliver these PowerShell-based pieces of malware.

The attackers used specially crafted RTF documents delivered to targeted users via spear phishing emails. When opened, the file triggers the Office vulnerability and initiates an infection process that ends with the execution of the backdoor and the downloader.

POWRUNER allows attackers to collect information about the infected machine, download and upload files, and capture screenshots. Once it receives commands from its command and control (C&C) server, the malware stops running.

The BONDUPDATER downloader is APT34’s first attempt at implementing a DGA for generating subdomains that are used for C&C communications.

“We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursuing strategies to deter detection,” FireEye said in a blog post. “We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.”

This is not the first time FireEye has analyzed APT34’s activities. In May 2016, the security firm published a report detailing some of its attacks on banks in the Middle East, but at the time it did not attribute the operation to any group.

Palo Alto Networks reported in October that OilRig had started using a new Trojan in attacks aimed at entities in the Middle East.

Related: HBO Hacker Linked to Iranian Spy Group

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.