fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Political-themed Actor Using Old MS Office Flaw To Drop Multiple RATs

Political-themed Actor Using Old MS Office Flaw To Drop Multiple RATs

A novel threat actor with unclear motivesis running a crimeware campaign delivering multiple Windows and Android RATs (remote access tools) through the exploitation of CVE-2017-11882.

This four-years-old Microsoft Office Equation Editor bug was addressed in the November 2017 patch, but it appears that it’s still available for leverage, especially in India and Afghanistan where the targets of this campaign are based.

The threat actor was spotted by researchers at Cisco Talos, who didn’t find any strong links to a particular nation, apart from a Pakistani IT front company named “Bunse Technologies”.

The actor has registered multiple domains that feature political themes such as diplomatic and humanitarian efforts and uses them to deliver malware payloads to the victims.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

A worm-style threat

The infection begins with the victim downloading a laced RTF (rich text document) file from one of the aforementioned websites, and if it’s opened on a vulnerable MS Office version, arbitrary code execution is triggered.

At first, a loader executable establishes its presence on the system by creating a Startup entry and compiles hard-coded C# code into an executable.

On the fly compilation from source code
“On the fly” compilation from source code
Source: Cisco

The resulting binary is a custom file enumerator module that discovers all document files on the infected endpoint and sends a list with the file names and paths to the C2.

Finally, a file infector is also compiled which infects otherwise benign files such as DOCXs and EXEs, serving as a worm for the actors.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

DOCX file infector
DOCX file infector module in action
Source: Cisco

This way, the infection can spread throughout a network as other users open the tampered files.

The payloads that are used in the monitored campaign are the following:

  • Browser credential stealer for Brave, Google Chrome, Opera, Opera GX, Microsoft Edge, YandexBrowser, and Mozilla Firefox.
  • DcRAT, featuring remote shells, keylogging, file, and process management.
  • QuasarRAT, featuring credential stealing, arbitrary command execution, remote shell, and file management.
  • AndroRAT, for Android smartphone targeting.

Moderate attribution confidence

At the time of writing this, the site for Bunse Technologies has been taken down, but BleepingComputer was able to an associated Twitter account.

Bunse Technologies account on Twitter
Bunse Technologies account on Twitter

The CEO of the firm promotes himself as a penetration tester and ethical hacker, and posts nationalistic anti-India and pro-Taliban content on his personal Facebook account.

Talos was able to find GitHub repositories belonging to the person, and one of them contained the DcRat source code. As such, the attribution to the particular individual is moderately confident.

GitHub repository
Actor’s GitHub repository
Source: Cisco

Although the actor is generally using commodity malware in this campaign, the appearance of custom downloaders and file infectors is a sign that they are looking to shift away from using detectable tools.

Organizations in Afghanistan and India should remain vigilant against threats of this kind, which can spread rapidly and stealthily inside their networks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us