Word vulnerability used one year after it was patched

Sep 26, 2015 02:49 GMT  ·  By

A spear-phishing campaign recorded in April and May 2015 by Sophos used a well-known Microsoft Word vulnerability to infect users with malware.

According to Sophos researchers, the vulnerability was nicely packaged into the Microsoft Word Intruder (MWI) kit, which is actively being sold by a cyber-criminal group called Objekt for $140 / €125. The group has been very picky with its clients, only selling the exploit kit to groups that want to use it for smaller targets.

And so it was, if we believe Sophos, the cyber-security firm saying they've seen very few instances of MWI being used, but with a very high infection rate of 30%.

Operation Pony Express, April - May 2015

The spear-phishing campaign they've analyzed relied on hackers sending targeted emails to specific individuals and organizations. These emails contained fake invoices as RTF files, coming from RingCentral, a known cloud-based communications provider.

Users were lured into opening these documents, which exploited the known Word vulnerability via MWI, and were infected with a malware "downloader."

While normally attackers would have sent the malware directly with the MWI kit, in Operation Pony Express, the hackers chose to deliver an intermediary downloader instead.

The reason behind this is unknown, but the downloader would eventually deliver more dangerous malware later on, Sophos detecting infections with Fareit, Rovnix, Wauchos, and Dyzap.

Attackers used two different C&C servers

Interestingly, Operation Pony Express also saw a novelty in malware distribution, with the attackers using two C&C servers. The first server was used to deliver the downloader, while the second server was used for operating the final malware payload itself.

Sophos researchers linked these two C&C servers to Russia and the Ukraine, but they don't believe the attackers were foolish enough to give out their real names and addresses when registering the domains and hosting accounts used in this operation.

Sophos also says that most infected users reside in the US, UK, China, and Canada, and if users had updated to the latest Microsoft Word version, they would have effectively been protected against the MWI exploit.

Geographical spread of Operation Pony Express infected users
Geographical spread of Operation Pony Express infected users

Photo Gallery (2 Images)

Word files used to infect users with malware
Geographical spread of Operation Pony Express infected users
Open gallery