New targeted attack campaign leverages Microsoft Office vulnerabilities

Share this article:

Users in Vietnam and India were targets of a recently discovered attack campaign that uses vulnerabilities in unpatched versions of Microsoft Office to install a trojan and steal information, experts say.

According to a recent blog post by Rapid7 security researchers Claudio Guarnieri and Mark Schloesser, the malware, dubbed KeyBoy, makes its way onto users' computers via spear phishing emails. Once a carefully crafted Microsoft Word attachment found in the message is opened using a vulnerable version of the software, an “infection routine” takes place.

The document uncovered in the first attack, targets users in Vietnam and discusses methods for teaching and researching scientific topics, which leads the researchers to believe that the identity of the target is within the Vietnamese academic community.

While written in English, the second document in a separate attack covers the “state of telecommunication infrastructure” in India. It is believed to be targeting users in the telecommunications industry there, according to the blog post.

Once opened, the malicious documents attempt to run remote code execution vulnerabilities in Windows that affect Microsoft Office versions 2003, 2007 and 2010. A backdoor trojan is then installed that is capable of stealing credentials via Internet Explorer and Mozilla Firefox. It also can install a keylogger to intercept credentials on Google Chrome and enable attackers to further exfiltrate data from compromised machines by operating through an  “interactive mode.”

While there's nothing too sophisticated about this particular targeted attack campaign, he said that may be its most troubling characteristic.

“It's common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post,” he wrote in the blog post.

In an email to SCMagazine.com Monday, Guarnieri said it's difficult to attribute KeyBoy to a particular entity.

"We are constantly seeing more and more attacks coming in probably from the same group and they are very diversified both on the plausible location of the targets as well as their nature," Guarnieri said. "We believe that this group might act as a first generic collection point that opportunistically tries to obtain access to as many interesting targets as possible to harvest potentially valuable information from their systems."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.