Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Word Vulnerability Used in Targeted Attacks Against Taiwan

A recently-patched Microsoft Word vulnerability is being used in attacks against government agencies in Taiwan, researchers with Trend Micro found.

The vulnerability, CVE-2014-1761, was the subject of a security advisory from Microsoft back in March, and was patched in April. The presence of a patch however has not stopped attackers from targeting the vulnerability.

A recently-patched Microsoft Word vulnerability is being used in attacks against government agencies in Taiwan, researchers with Trend Micro found.

The vulnerability, CVE-2014-1761, was the subject of a security advisory from Microsoft back in March, and was patched in April. The presence of a patch however has not stopped attackers from targeting the vulnerability.

According to Trend Micro, attacks have been observed targeting government agencies and an educational institute in Taiwan. The first attack used an email with a malicious attachment that was disguised as a message from a government employee. The message used a title related to a national poll to appear legitimate. Inside the attachment is the exploit, which drops a file that then drops two others. The final two files lead to a payload detected as BKDR_SIMBOT.SMC.

“The second attack targeted an educational institute, also in Taiwan,” according to Trend Micro. “This run used an email attachment to gain access to the recipient’s computer and network. The email message discussed free trade issues, while the attachment had a title about a work project. Similar to the first case, the attachment is also an exploit detected as TROJ_ARTIEF.ZTBD-PB. It drops a backdoor component detected as BKDR_SIMBOT.ZTBD-PB. Once executed, this malware can perform commands such as search for files to steal, exfiltrate any file of interest, as well as perform lateral movement.”

Both these attacks are believed to have ties to Taidoor, a campaign that has been active since at least 2009. According to Trend Micro, the attacks have the same characteristics as previous runs in terms of targets, social engineering and the use of a zero-day vulnerability.

“Another attack we saw that used CVE-2014-1761 targeted a mailing service in Taiwan,” Trend Micro researchers reported. “Just like the other attacks, this run uses an email attachment as the entry point to the network. The email attachment pretends to be a list about new books from a particular publishing house. This was done to try and pique the recipient’s interest. This attachment is actually the exploit detected as TROJ_ARTIEF.ZTBD-A which drops a PlugX malware detected as TROJ_PLUGXDRP.ZTBD.”

This file drops another file detected as BKDR_PLUGX.ZTBD, which has the ability to perform a wide range of functions, including copying and creating registry keys and modifying services.

“PlugX malware is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries,” according to Trend Micro. “PlugX may allow remote users to perform data theft routines on the affected system. PlugX can give attackers complete control over a system.”

Advertisement. Scroll to continue reading.

The company recommends organizations apply the Word patch and educate employees about suspicious emails and targeted attacks. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.