Iranian attackers are leveraging a patched Office Zero Day vulnerability.
Carried out between April 19 and April 24, 2017, the vulnerability is in the Object Linking and Embedding (OLE) functionality in Office, said researchers at security firm Morphisec.
What looks like a politically-motivated, targeted campaign is taking advantage of was leveraging the CVE-2017-0199 vulnerability in Office that Microsoft patched earlier this month, after it had been already abused in live attacks.
In what is usually the case, multiple organizations failed to apply the patch, so the vulnerability continues to offer a viable attack surface.
The attacks targeted Israeli organizations, said Morphisec researcher Michael Gorelik in a blog post.
They ended up delivered through compromised email accounts at Ben-Gurion University, which is home to Israel’s Cyber Security Research Center. Those behind the attack used an existing proof-of-concept (published after the patch released) to deliver a fileless variant of the Helminth Trojan agent.
The security researchers identified Israeli high-tech development companies, medical organizations and education organizations as victims of the attacks. They also attribute the assaults to an Iranian hacker group known to doing other attacks.
The analyzed Helminth fileless agent was found to be a near perfect match to the OilRig campaign that hit 140 financial institutions in the Middle East last year (at the beginning of 2017, the same actor used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to several Israeli organizations), Gorelik said in his post.
The bad guys decided to switch from malicious macros in Excel and Word documents to a vulnerability exploit, researchers said. It is also apparent the group set up the attack fast, mainly because there was only a small window of opportunity between the patch release and rollout.
The attack allows the hackers to use malicious HTA (HTML Application) files that Object Linking and Embedding (OLE) functionality in decoy RTF (Rich Text Format) documents linked to. Once the victim opens the malicious RTF, the HTA file ends up downloaded, which loads and executes a final payload.
Microsoft fixed the problem in its April 11 set of security patches, but not before attackers started taking advantage of it.