Hackers conducted a targeted operation against Ukraine using an old MS Office bug
Researchers discovered the MS Office flaw seven years ago
3 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Threat actors used a seven-year-old Microsoft Office bug to conduct a targeted operation against Ukraine. Through it, they could infect vulnerable computers with a cracked version of Cobalt Strike. The tool allows them to gain remote access to a device. Afterward, it lets hackers download ransomware and other types of malware.
According to The Hacker News, Deep Instinct Threat Lab researchers discovered the targeted operation against Ukraine at the end of 2023. Also, it started with the signal-2023-12-20-160512.ppsx, a PowerPoint slideshow (PPSX) file. In addition, because of the filename, researchers believe that people shared the malicious document through Signal, a messaging app.
However, that’s just a speculation. Yet, according to the Computer Emergency Response Team of Ukraine (CERT-UA), attackers used the messaging app as a delivery tool for two other campaigns.
How did the targeted operation against Ukraine work?
CERT-UA revealed that the UAC-0184 group targets the members of the armed forces via messaging and other platforms. One of the methods used in the targeted operation against Ukraine was to spread malware and send files containing a HijackLoader, the Remcos RAT, or XWorm. Additionally, they share open-source programs like tusc and sigtop to extract information and files from vulnerable devices.
Threat actors sent a PPSX file as an outdated US Army manual for tank mine clearing blades. The document contained a link to an OLE object (Object Linking and Embedding). This technology lets hackers link and embed files. The link to the OLE object allowed them to exploit the Microsoft Office Vulnerability CVE-2017-8570.
When cybercriminals managed to exploit a vulnerable device, the PPSX file would download a remote heavily obfuscated script from the weavesilk[.]space which belongs to a Russian VPS provider.
Afterward, it would install an HTML file containing a Javascript code that modifies the Windows Registry to ensure the malware runs after a reboot. Once the operation ends, the script downloads a next-stage payload disguised as a Cisco AnyConnect VPN client.
The payload used in the targeted operation against Ukraine contained a Cobalt Strike Beacon, a cracked and modified file. With it, attackers can execute commands, log keystrokes, drop files, and communicate with targeted systems.
Ultimately, even if the Deep Instinct Threat Lab researchers discovered the targeted operation against Ukraine, they couldn’t attribute it to any known group or organization. Fortunately, by updating the MS Office, future attacks shouldn’t work. Yet, to ensure your safety, download files only from officials and trusted sources. In addition, update your applications regularly.
What are your thoughts? Are you using the latest version of Microsoft Office apps? Let us know in the comments.
