The Inquirer-Home

Cisco uncovers Microsoft Word spearphishing attack

Targeted rich industries like banking, oil, television and jewellery
Tue Jul 01 2014, 13:44

microsoft-word-logoCISCO HAS DISCOVERED spearphishing malware in Microsoft Word that uses an exploit targeting the software's Visual Basic Scripting for Applications feature.

Cisco's investigation into the malware identified a group of attacks by the same threat actor, with Cisco exposing the threat actor's network after it had discovered a Microsoft Word document that downloaded and executed a secondary sample, which began beaconing to a command and control server.

"While basic, the Office Macro attack vector is obviously still working quite effectively," Cisco technical lead Craig Williams said in a blog post. "When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim's machine."

Williams said that this threat actor seemed to target high-profile, rich industries such as banking, oil, television and jewellery companies and victims of the attacks were duped into opening an email attachment in the form of an invoice, written specifically for the recipient.

"The message [was] a fairly simple phish email which includes a fake name and an attached Microsoft Word document. However, this was simply the outer layer of the onion so it's best, we think, to start from the beginning," Williams said.

"This particular phishing attempt was noticed in Cisco's email corpus due to the email attachment's poor block rates at most antivirus engines."

"For the duration of this campaign there is one thing that remained consistent: at best, a few antivirus engines may have generically detected the attached malware but more often than not coverage was provided by a single vendor, or no coverage was provided at all." µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?