14 DAY TRIAL // Back in March, Microsoft issued a warning regarding a remote code execution vulnerability in Word, that was being leveraged by cybercriminals in targeted attacks. The company patched the security hole in April, but experts have found that cybercriminals are still relying on it in their campaigns.
According to Trend Micro, the Word vulnerability has been leveraged in targeted attacks against government agencies and an educational institution in Taiwan.
The attack against government agencies relied on emails carrying malicious attachments. The messages purported to come from a government employee, and they contained an exploit identified by Trend Micro as TROJ_ARTIEF.ZTBD-R.
This component drops additional files which ultimately lead to the final payload detected as BKDR_SIMBOT.SMC.
The operation against the educational institution relied on an email discussing free-trade issues. The file attached to the emails was designed to drop a backdoor, BKDR_SIMBOT.ZTBD-PB, which enabled cybercriminals to steal sensitive files from the targeted organization.
Experts believe that the attacks are part of a campaign dubbed Taidoor, which has been active since 2009.
In addition to these actions, cybercriminals have also been leveraging the Word vulnerability in an attack targeting a Taiwanese mailing service. In this operation, the malicious actors rely on the PlugX RAT to steal files and take control of infected machines.
For additional technical details on the attacks targeted at Taiwanese organizations, check out Trend Micro’s blog.