Cybersecurity technicians have recently encountered a notable threat actor conducting a crimeware operation. It involves attacks on agencies in Afghanistan and India, mainly using a government-themed domain.
The campaign uses dcRat and QuasarRAT, which existed in the Windows platform. The goal was to use it to deliver malicious content that would compromise the CVE-2017-11882 and the AndroidRAT on mobile devices.
What is CVE-2017-11882?
It refers to a notable Microsoft Office memory corruption issue that involved the execution of malicious code on a device. The windows hacker used the code to target vulnerable devices after accessing the file with the malicious code.
However, the process doesn’t require any user involvement. While Microsoft Office worked to target the vulnerability in late 2017, hackers exploited this application. The application was powerful enough to bypass free antivirus software for Windows, as well as subscription-based options..
However, security researchers have not mapped out the hack’s connections to another region. The report shows that attackers have also acquired several governmental and publication fields domains. These fields contained lots of malware data, which the hackers sent out to different targets.
The code also included malicious baits, whose main target was the various vulnerable Afghan organizations. The focus was mainly on the humanitarian and diplomatic entities.
How Does It Work?
Researchers at CellTrackingApps say that the hack starts when a vulnerable user downloads an RTF document that contains malicious code. The code should come from a website, and its execution occurs when the individual opens the file via Microsoft Office variation.
The first step involves an executable load that establishes its presence on the network by introducing Startup access. It also compiles hard-coded C# into an executable file. The binary produces features a custom file enumerator module that evaluates the compromised endpoint for the presence o document files.
It will then relay the list of file names and their addresses to the C2. The final result is that this process leads to creating a file infector, which can compromise various types of harmless documents. These include documents such as DOCXs and EXEs, which function as a worm for malicious hackers.
When the vulnerable user accesses the compromised documents, the infection can spread through their computer device. Based on research reports, the executor of this application often targeted log-in information on the traditional web browsers.
These included browsers such as Microsoft Edge, Chrome, Opera, and others. The recent variation of the hack is more sophisticated, and researchers have identified several DcRAY payloads presented in websites under the control of malicious people. When the operation got to the infection stage, the payloads finally went to the vulnerable devices.
While it’s a simple remote tool that features the C # code, it’s unique and can target several user vulnerabilities. The code contains keylogging, remote shells, and file management resources. Below are some of the other vital aspects of the device:
- The Pakistani IT website that runs this software is not available but active on social media platforms like Twitter.
- The investigative report about the attack shows that a malicious individual runs the campaign as a mock software development entity.
- The attack is most common among Afghan and Indian entities, which should be aware of its ability to spread across devices fast.
While the Windows platform seems to be one of the most popular operating systems, it’s also prone to various vulnerability issues. A good example is the C2, which is powerful enough to target government systems and more. Being aware of these attacks is vital in choosing the right protection against spyware.