Cybersecurity researchers have recently come across an unknown threat actor conducting a crimeware operation in which it attacks organizations in India and Afghanistan using political and government-themed malicious domains.
As explained by security specialists at Cisco Talos, this campaign uses dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 and AndroidRAT to target mobile devices.
CVE-2017-11882 is a 17-year-old Microsoft Office memory corruption vulnerability that, if successfully exploited, allows threat actors to perform remote code on a vulnerable device after opening a malicious file. This action does not require any user interaction.
According to BleepingComputer, the vulnerability in Microsoft Office was tackled in a November 2017 patch, but it seems that it is still exploitable.
Security experts at Cisco Talos couldn’t find any connections to a specific country.
We assess with high confidence that the threat actor behind these attacks is an individual operating under the guise of a Pakistani IT firm called “Bunse Technologies.
They further said that the attacker had registered numerous domains with political and governmental topics, all of which contained malware payloads that were distributed to their targets. Their malicious baits also included references to Afghan organizations, especially diplomatic and humanitarian initiatives.