Spear-Phishing Campaign Employs MS Word Flaw to Taint Users with Malware - Sophos

A spear phishing rip-off was recorded by security vendor Sophos in April and May 2015 employed an infamous MS word flaw to taint Internauts systems with malware, reported softpedia.com on September 26, 2015.

As per Sophos, the flaw was well hooked with the MS Intruder kit (MWI) kit that is actively been put to sale by a cyber crook gang nicknamed "Objekt" in the range of $140 / €125. The gang has been extremely choosy about its patrons, selling the exploit kit particularly to gangs that want to assault smaller targets.

And if Sophos theory is to be believed, the cyber-security vendor says that it has witnessed quite instances of MWI being put to use, however, it has a huge success rate of 30%.

The spear phishing operation analyzed by Sophos relies heavily on hackers distributing targeted electronic mails to specific people and firms. These emails comprise RTF files in the form of phony invoices that claim to be from a well-known cloud-based communications provider, RingCentral.

Internauts are baited to open these documents that exploit the infamous Word flaw via MWI, and were tainted with a downloader Trojan.

While usually hackers would distribute the malware directly with the aid of the MWI kit, in the so-called Operation Pony Express, they decided to distribute an mediator downloader instead.

The reason associated with this is not known, but, the downloader shall eventually deliver more hazardous malware at a later stage, Sophos identifying them as Fareit, Wauchos, Rovnix, and Dyzap.

Amusingly, Operation Pony Express also witnessed uniqueness in malware distribution, with the cybercriminals employing two C2 servers. The primary server was employed to distribute the downloader, while the second one is employed for operating the ultimate malware payload itself.

Sophos linked the two C2 servers to the Ukraine and Russia, but, they don't trust that the hackers were imprudent enough to reveal their actual names and IP addresses when registering the domains and hosting accounts employed in this campaign.

According to Sophos more infections are intercepted in the US, UK, China, and Canada, and had Internauts updated to their latest MS Word version, they would have not been affected by the MWI exploit.

» SPAMfighter News - 10/2/2015

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page