A memory corruption bug that plagued Microsoft Office until it was patched in 2017, CVE-2017-11882, has been used by a threat actor targeting various entities in both India and Afghanistan. The group appears to be masquerading as the owner of a fake Pakistan-based IT firm, Bunse Technologies, to mask a crimeware campaign gaining foothold in companies across the continent. An interesting tactic, and one that simplifies the campaign, is the group’s choice to use commodity, or publicly available, remote access Trojans (RAT). dcRAT and QuasarRAT are delivered via malicious documents exploiting CVE-2017-11882. The RATs contain multiple capabilities including preliminary reconnaissance capabilities, arbitrary command execution, and data exfiltration. Choosing these RATs allows attackers to spend only minimal effort preparing their malware for the campaign.
The group has registered multiple domains that seem to be of official political or government use. The group then utilizes malicious documents that contain content related to humanitarian and diplomatic work in Afghanistan and India and prey on recent crises that have tormented the regions. According to researchers, “the infection chains consist of malicious RTF documents and PowerShell scripts that distribute malware to victims. We’ve also observed the usage of C#-based downloader binaries to deploy malware while displaying decoy images to victims to appear legitimate.”
Infection through the spread of malicious documents continues to be the most common avenue threat groups take to gain access. Most often, they prey on urgency and emotions of their targets. Communication from government or political entities is an effective way to gain attention, making the needed click more likely. It is critical to implement phishing awareness and defense training, as well as a robust defense-in-depth strategy, including a proactive method such as Threat Hunting.