Spear phish exploits Office vulns

A new attack campaign is targeting vulnerabilities in Microsoft Office to install a trojan and steal information.

The KeyBoy malware was delivered via spear phishing emails primarily against users in Vietnam and India, Rapid7 security esearchers Claudio Guarnieri and Mark Schloesser said.

A crafted Microsoft Word attachment within the phishing email executed an “infection routine” using a vulnerable version of Office. 

The email appeared to be from the Vietnamese academic community as it discussed methods for teaching and researching scientific topics, according to researchers.

A second document in a separate attack covered the “state of telecommunication infrastructure” in India.

Once opened, the malicious documents attempted to run remote code execution vulnerabilities in Windows that affect Microsoft Office versions 2003, 2007 and 2010.

A backdoor trojan was then installed that could steal credentials via Internet Explorer and Mozilla Firefox.

It also can install a keylogger to intercept credentials on Google Chrome and enable attackers to further exfiltrate data from compromised machines by operating through an 'interactive mode'.

“It's common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post,” he wrote in the blog post.

Guarnieri told SC it was difficult to attribute KeyBoy to a particular entity.

"We are constantly seeing more and more attacks coming in probably from the same group and they are very diversified both on the plausible location of the targets as well as their nature," Guarnieri said.

"We believe that this group might act as a first generic collection point that opportunistically tries to obtain access to as many interesting targets as possible to harvest potentially valuable information from their systems."

This article originally appeared at scmagazineus.com