Geriatric Microsoft Bug Exploited by APT Using Commodity RATs

Disguised as an IT firm, the APT is hitting targets in Afghanistan & India, exploiting a 20-year-old+ Microsoft Office bug that’s as potent as it is ancient.

An APT described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.

Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a report published Tuesday by Cisco Talos.

The threat group – tracked by Cisco Talos from the beginning of the year through the summer – disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as two years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT)

Read More: