Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Office Flaw Exploited by Several APT Actors

An Office vulnerability patched by Microsoft last year has been exploited by several advanced persistent threat (APT) actors in operations aimed at organizations in Asia, Kaspersky Lab’s Global Research and Analysis Team reported on Wednesday.

An Office vulnerability patched by Microsoft last year has been exploited by several advanced persistent threat (APT) actors in operations aimed at organizations in Asia, Kaspersky Lab’s Global Research and Analysis Team reported on Wednesday.

The remote code execution flaw, tracked as CVE-2015-2545, had been exploited by an APT group dubbed Platinum and TwoForOne before Microsoft released a patch in September 2015 and a more comprehensive fix two months later. The actor, which has been known to target organizations in South and Southeast Asia, has been active since at least 2009.

CVE-2015-2545 can be exploited for arbitrary code execution via specially crafted Encapsulated PostScript (EPS) image files inserted into Office documents. The exploit for this flaw can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) mitigations.

According to Kaspersky Lab, Platinum was the first group to exploit the vulnerability to deliver malware, but the threat actor apparently stopped using it after Microsoft released patches.

One of the first APT groups to start leveraging CVE-2015-2545 after it was fixed by Microsoft is EvilPost, a China-linked gang that used weaponized Word documents to attack a Japanese defense contractor in December 2015.

At around the same time, a different Chinese attacker dubbed APT16 used an exploit for this Office vulnerability to target media and government agencies in Taiwan. Organizations in Taiwan were also targeted in December 2015 by a threat actor dubbed by Kaspersky “SVCMONDR.”

The SVCMONDR attacks share similarities with operations carried out by a group called Danti. However, researchers have not been able to precisely determine if SVCMONDR and Danti are the same group or if they simply used the same malicious code.

Danti is an actor that has been observed targeting entities in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. It’s believed to be a new group that is related to the NetTraveler and DragonOK cyberspies, whose activities were analyzed in 2013 and 2014.

Advertisement. Scroll to continue reading.

Danti used CVE-2015-2545 in February and March to launch attacks against Indian diplomatic organizations, including many embassies. The group’s activities were also analyzed recently by Palo Alto Networks, which found connections between the malware used in the attacks aimed at Indian embassies and malware used in 2013 in a campaign called Operation Ke3chang. Evidence suggests that the attackers are located in China.

Palo Alto Networks recently also analyzed a campaign where an APT group leveraged the Office flaw to deliver a Poison Ivy variant named “SPIVY” to organizations in Hong Kong.

Exploitation of cve-2015-2545 by APT actors

According to Kaspersky, all of these groups have exploited CVE-2015-2545 to target entities in Asia — none of them have been observed attacking organizations in Western Europe or the United States.

In addition to APT actors, traditional cybercriminals have also leveraged the Office exploit in mass spam campaigns.

“Such attacks mostly target financial institutions in Asia. Specifically, attacks have been recorded in Vietnam, the Philippines and Malaysia. There are reasons to believe that Nigerian cybercriminals are behind these attacks. In some cases, the infrastructure used is the same as the one we saw when analyzing the Adwind Trojan,” researchers said in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.