Recent reports indicate a sophisticated malware campaign that is specifically targeting entities in Afghanistan and India. This campaign exploits a decades-old vulnerability in Microsoft Office, identified as CVE-2017-11882, which has since been patched. The vulnerabilities allow adversaries to deploy remote access trojans (RATs), granting them total control over infected systems.
Research conducted by Cisco Talos attributes this cyber operation to a single threat actor, who operates under the guise of a fictitious IT firm named Bunse Technologies, headquartered in Lahore. The actor has been linked to pro-Pakistan and Taliban propaganda dating back to 2016, suggesting a politically motivated agenda behind the attacks.
The operational mechanics of the attack hinge on the exploitation of politically and government-themed lure domains. These domains host malware payloads and utilize weaponized Rich Text Format (RTF) documents alongside PowerShell scripts to further propagate the infection. The compromised RTF files leverage the aforementioned vulnerability to execute commands critical for deploying additional malware aimed at system reconnaissance.
The CVE-2017-11882 vulnerability concerns a memory corruption issue that can be exploited to execute arbitrary code. Microsoft addressed this flaw as part of its Patch Tuesday updates in November 2017. After the reconnaissance phase, the attack sequence continues to exploit the vulnerability to issue a series of commands that result in the installation of various commodity malware, including DcRAT and QuasarRAT. These malware variants come with an integrated suite of functionalities such as remote shell access, process and file management, keylogging, and credential theft.
Additionally, this cybercriminal operation has included a credential-stealing tool for various web browsers such as Brave, Microsoft Edge, Mozilla Firefox, Google Chrome, and Yandex Browser. This capability further enhances the attacker’s ability to gather sensitive information from targeted victims.
The findings from this investigation illustrate a textbook case of a lone threat actor leveraging politically charged themes to deliver commodity malware. Researchers have noted that RAT families continue to be favored by both crimeware and advanced persistent threat (APT) groups for infecting targets. These malware variants serve as excellent platforms for launching further attacks against compromised systems.
