June 10, 2013, 2:07 PM — Users from Vietnam, India, China, Taiwan and possibly other countries, were targeted as part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, according to researchers from security firm Rapid7.
The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims. These documents were rigged to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.
One of the malicious documents found by Rapid7 researchers is written in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests that the targets of attacks where this document was used are part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday in a blog post.
A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe that this document was used to target people working in the telecommunications industry in India or local government representatives.
When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010, and were patched by Microsoft in 2012 as part of the MS12-027 and MS12-060 security bulletins.
Despite being relatively old, such vulnerabilities, especially CVE-2012-0158, are commonly exploited in targeted attacks. Two examples of recent targeted attacks where CVE-2012-0158 was used include the NetTraveler and HangOver cyberespionage campaigns.
The malicious documents install a backdoor program that Rapid7 researchers have dubbed KeyBoy, after a text string found in one of the samples. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.