A recently-patched Microsoft Word vulnerability is being used in attacks against government agencies in Taiwan, researchers with Trend Micro found.
The vulnerability, CVE-2014-1761, was the subject of a security advisory from Microsoft back in March, and was patched in April. The presence of a patch however has not stopped attackers from targeting the vulnerability.
According to Trend Micro, attacks have been observed targeting government agencies and an educational institute in Taiwan. The first attack used an email with a malicious attachment that was disguised as a message from a government employee. The message used a title related to a national poll to appear legitimate. Inside the attachment is the exploit, which drops a file that then drops two others. The final two files lead to a payload detected as BKDR_SIMBOT.SMC.
“The second attack targeted an educational institute, also in Taiwan,” according to Trend Micro. “This run used an email attachment to gain access to the recipient’s computer and network. The email message discussed free trade issues, while the attachment had a title about a work project. Similar to the first case, the attachment is also an exploit detected as TROJ_ARTIEF.ZTBD-PB. It drops a backdoor component detected as BKDR_SIMBOT.ZTBD-PB. Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement.”
Both these attacks are believed to have ties to Taidoor, a campaign that has been active since at least 2009. According to Trend Micro, the attacks have the same characteristics as previous runs in terms of targets, social engineering and the use of a zero-day vulnerability.
“Another attack we saw that used CVE-2014-1761 targeted a mailing service in Taiwan,” Trend Micro researchers reported. “Just like the other attacks, this run uses an email attachment as the entry point to the network. The email attachment pretends to be a list about new books from a particular publishing house. This was done to try and pique the recipient’s interest. This attachment is actually the exploit detected as TROJ_ARTIEF.ZTBD-A which drops a PlugX malware detected as TROJ_PLUGXDRP.ZTBD.”
This file drops another file detected as BKDR_PLUGX.ZTBD, which has the ability to perform a wide range of functions, including copying and creating registry keys and modifying services.
“PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries,” according to Trend Micro. “PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system.”
The company recommends organizations apply the Word patch and educate employees about suspicious emails and targeted attacks.