New targeted attack campaign leverages Microsoft Office vulnerabilities


Users in Vietnam and India were targets of a recently discovered attack campaign that uses vulnerabilities in unpatched versions of Microsoft Office to install a trojan and steal information, experts say.

According to a recent blog post by Rapid7 security researchers Claudio Guarnieri and Mark Schloesser, the malware, dubbed KeyBoy, makes its way onto users' computers via spear phishing emails. Once a carefully crafted Microsoft Word attachment found in the message is opened using a vulnerable version of the software, an “infection routine” takes place.

The document uncovered in the first attack, targets users in Vietnam and discusses methods for teaching and researching scientific topics, which leads the researchers to believe that the identity of the target is within the Vietnamese academic community.

While written in English, the second document in a separate attack covers the “state of telecommunication infrastructure” in India. It is believed to be targeting users in the telecommunications industry there, according to the blog post.

Once opened, the malicious documents attempt to run remote code execution vulnerabilities in Windows that affect Microsoft Office versions 2003, 2007 and 2010. A backdoor trojan is then installed that is capable of stealing credentials via Internet Explorer and Mozilla Firefox. It also can install a keylogger to intercept credentials on Google Chrome and enable attackers to further exfiltrate data from compromised machines by operating through an  “interactive mode.”

While there's nothing too sophisticated about this particular targeted attack campaign, he said that may be its most troubling characteristic.

“It's common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post,” he wrote in the blog post.

In an email to Monday, Guarnieri said it's difficult to attribute KeyBoy to a particular entity.

"We are constantly seeing more and more attacks coming in probably from the same group and they are very diversified both on the plausible location of the targets as well as their nature," Guarnieri said. "We believe that this group might act as a first generic collection point that opportunistically tries to obtain access to as many interesting targets as possible to harvest potentially valuable information from their systems."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.