Malware, Vulnerability Management

APT operation ‘Double Tap’ exploits serious Windows OLE bug

APT3, a group believed to be behind “Operation Clandestine Fox,” is now using exploits targeting recently disclosed vulnerabilities in Windows, researchers at FireEye found.

One of the bugs, CVE-2014-6332, was fixed this Patch Tuesday and noted for being remotely exploitable for 18 years prior to the update. The Windows OLE Automation Array Remote Code Execution vulnerability presented a serious security issue to users, researchers warned, as it impacts every version of Microsoft Windows since Windows 95.

At the time, IBM X-Force Research manager Robert Freeman said that remote exploitation became possible with the release of Internet Explorer 3.0 in 1996, since Visual Basic Script (VBScript) was introduced. In an interview with, Freeman explained that exploitation of the bug would be a “tricky” feat, but also “very formulaic” to recreate once saboteurs came up with attack scenarios.

“The same VBScript code will cause the same outcome all of the time,” Freeman said in the interview.

Now, attacks exploiting the bug have appeared to come to fruition, as security firm FireEye detailed in a Friday blog post. According to the company, the Windows OLE bug, and a separate Windows privilege escalation vulnerability, CVE-2014-4113, have been targeted by the threat group called APT3.

Both bugs received a patch from Microsoft (4113 in October's Patch Tuesday and 6332 in this month's update), a sign that APT3 has apparently moved from leveraging zero-day exploits, to targeting victims with “known exploits or social engineering,” FireEye said.

In the Clandestine Fox campaign APT3 carried, the group was initially observed exploiting an Internet Explorer zero-day to deliver malware to users. Then the group switched up its tactics, wooing new victims via social engineering – in one instance, targeting an energy company by posing as a job applicant seeking employment.

The supposed applicant contacted an employee on a popular social networking site, and weeks later emailed a resume to the employee's personal email account, which contained a weaponized file designed to drop a backdoor called “Cookie Cutter.”

In the most recent wave of phishing lures beginning last Wednesday, dubbed “Operation Double Tap,” attackers sent malicious emails claiming to offer a free month's membership to a Playboy website, FireEye warned. On Oct. 28, APT3 was again observed sending spearphishing emails, which ultimately installed backdoor Cookie Cutter on vulnerable users' machines.  

FireEye published indicators of compromise (IOCs) in its post.  

“Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits,” the blog post said. “The combination of this sustained operational tempo and lack of zero-day exploits may indicate that this group has changed strategy and has decided to attack more frequently and does not have steady access to zero-day exploit code,” FireEye said.

In a Monday interview with, John Kuhn, senior threat researcher at IBM X-Force, said that his company had detected separate attacks targeting the Windows OLE bug.

“Someone released a proof-of-concept code from a Twitter feed I've been tracking for awhile,” he said. Almost immediately afterwards, other hackers had taken up the attack code, tweaking it only slightly, Kuhn added.

“It goes all the way back to Windows 95, and that's a wide net to cast,” he said of the bug. While spearphishing appears to be the “key,” in exploiting users, Kuhn revealed that, in one instance, attackers posted a malicious link to a very popular Russia forum, to try to exploit Windows users.

On Monday, Trey Ford, global security strategist at Rapid7, told in email correspondence that the exploitation of Windows OLE in the wild demonstrates why there needs to be “several paths forward in a vulnerability disclosure line of conversation.”

“When vulnerabilities are being exploited in the wild, honoring the secrecy of an unpatched [bug] while waiting for a fix loses value,” he wrote. “The false economy of secret information protects the attackers, not the defenders. On the positive, a patch already exists – so the priority of applying a patch (released Nov 11, so two weeks ago tomorrow) will encourage defenders to escalate and accelerate patch deployment,” he continued.

“Moments like these are when we take a long, hard look at patch testing cycles and ask – can we do this faster, and what is the risk associated with delay?” Ford said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.