New Microsoft 0-Day in Use by Two Distinct Hacking Groups

Earlier this week Microsoft released a Fix it for a new zero-day vulnerability currently being exploited. One mitigating factor seems to be that it only affects older versions of Windows; but Websense has now estimated that nearly 37% of the world's MS Office business users are vulnerable to the attack. "While the impact has been limited to date," observed Alex Watson, Websense director of security research, "we have observed targeted email attacks against Middle East and South Asia victims."

Meanwhile, FireEye has analyzed samples found in the wild and come to the conclusion that the exploit is currently being used by two distinct hacking groups: the known Hangover group, and a second group that FireEye calls the Arx group. If FireEye is right, and more than one group is already using the exploit, its incidence could grow.

At the time that information on the Hangover campaign surfaced earlier this year, questions were raised – and fiercely denied – that there may be some nation-state involvement. That campaign seemed to stem from India and largely target Pakistan – and there is no change now. "Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan," notes FireEye.

Jean-Ian Boutin, a malware researcher at ESET agrees with the Hangover connection. "I have analyzed some of the binaries that are linked to the domains referred to in the FireEye as well as the AlienVault report on this MS 0-day," he told Infosecurity. "The binaries I have looked at are very similar to the ones I analyzed a couple of months ago. Furthermore, the modus operandi they are using as well as the targets are the same as the ones explained in my blog post on the subject. On a technical side, the string obfuscation is exactly the same as well. Thus, I agree that these attacks are likely coming from the people behind operation hangover."

FireEye adds, however, that C&Cs operated by the Arx group "revealed that 619 targets (4024 unique IP addresses) have been compromised." But again, "The majority of the targets are in India (63 percent) and Pakistan (19 percent)." This leads FireEye to suspect that the Arx group, which uses the vulnerability to spread the Citadel trojan, had access to the exploit before Hangover. "It appears," says FireEye, "that the Hangover group acquired the exploit in October 2013."

FireEye suspects that the Arx group acquired the exploit in September, based on times when samples began to be uploaded to VirusTotal.

The two different groups use slightly different methods to activate the exploit, which relies on being able to control the memory layout when processing Tiff files. "The Ark [sic] group used a slightly more clever approach to spray the same amount of memory using fewer objects in their exploit document."

The groups also seem to have differing intent. The Hangover group has always been most interested in stealing data. This continues with the current campaign. The payload  includes "a variety of tools including a reverse shell backdoor, a keylogger, a screenshot grabber, and a document exfiltration tool."

"Interestingly," adds Boutin, "it is the first time we see this group use a 0-day. Most of the exploits we’ve seen them use are old exploits, like the infamous CVE-2012-0158, which incidentally also affects Microsoft Office.They used the latter exploit for a long time even after the vulnerability was patched, so seeing them use an actual 0-day might indicate that they are raising their game."

The Arx group, dropping Citadel, is more interested in banking and user credentials. "Citadel is a variant of the Zeus Trojan," explains FireEye, "that emerged in 2012 after the Zeus source code was leaked. Citadel is designed to allow cybercriminals to steal banking information and account credentials." Indeed, the associated email is often finance-related in its attempt to trick the user into clicking the poisoned attachment. The sample given by FireEye reads, " Attached is the money transfer documents as instructed by our customer. Please, kindly review and let us know if you have any questions about the payment slip."

FireEye's research tells us a number things. Firstly, the exploit is being used by at least two different groups: Hangover and Arx. Secondly, its use is already more widespread than initially suspected. And thirdly, while Hangover has always been associated with highly targeted data stealing (and may therefore stay largely focused on India and Pakistan), the Arx group is using it for organized crime. This second use may well spread beyond the sub-continent.

What’s hot on Infosecurity Magazine?