A recently patched vulnerability in Microsoft Office has been abused by Iranian threat actors in attacks against Israeli organizations, researchers from security firm Morphisec reveal.
Carried out between April 19 and April 24, 2017, the politically-motivated, targeted campaign was leveraging the CVE-2017-0199 vulnerability in Office that Microsoft patched earlier this month, after it had been already abused in live attacks. Because many organizations failed to apply the patch, however, the vulnerability continues to offer a viable attack surface.
The attacks targeting Israeli organizations, Morphisec explains, were delivered through compromised email accounts at Ben-Gurion University, which is home to Israel’s Cyber Security Research Center. The actors behind the attack used an existing proof-of-concept (published after the patch was released) to deliver a fileless variant of the Helminth Trojan agent.
The security researchers identified Israeli high-tech development companies, medical organizations and education organizations as victims of the attacks. They also attribute the assaults to an Iranian hacker group known to be responsible for the OilRig malware campaigns.
According to Morphisec, the analyzed Helminth fileless agent was found to be a near perfect match to the OilRig campaign that hit 140 financial institutions in the Middle East last year (at the beginning of 2017, the same actor was revealed to have used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to several Israeli organizations).
The security researchers also reveal that the threat actors decided to switch from malicious macros in Excel and Word documents to a vulnerability exploit. It’s also worth noting that the group set up the attack fast, mainly because there was only a small window of opportunity between the patch release and rollout.
The abused vulnerability allows actors to use malicious HTA (HTML Application) files that Object Linking and Embedding (OLE) functionality in decoy RTF (Rich Text Format) documents linked to. Once the victim opens the malicious RTF, the HTA file is downloaded, which loads and executes a final payload.
Microsoft addressed the issue in its April 11 set of security patches, but not before cybercriminals started abusing it in new attacks. Some of the most prominent threats observed leveraging the exploit included Dridex, along with Latentbot and WingBird.
“Every few years, a new ‘logic bug’ CVE in OLE object linking is identified; the previous one was three years ago (CVE-2014-0640). This kind of vulnerability is rare but powerful. It allows attackers to embed OLE objects (or links in the case of CVE-2017-0199) and bypass Microsoft validation of OLE execution without warning. In essence, it is the same as playing animation in PowerPoint,” the security researchers conclude.