Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Hackers conducted a targeted operation against Ukraine using an old MS Office bug

Researchers discovered the MS Office flaw seven years ago

3 min. read

Published onApril 29, 2024

published onApril 29, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Threat actors used a seven-year-old Microsoft Office bug to conduct a targeted operation against Ukraine. Through it, they could infect vulnerable computers with a cracked version ofCobalt Strike. The tool allows them to gain remote access to a device. Afterward, it lets hackers download ransomware and other types of malware.

According to The Hacker News, Deep Instinct Threat Lab researchers discovered the targeted operation against Ukraine at the end of 2023. Also, it started with the signal-2023-12-20-160512.ppsx, a PowerPoint slideshow (PPSX) file. In addition, because of the filename, researchers believe that people shared the malicious document through Signal, a messaging app.

However, that’s just a speculation. Yet, according to the Computer Emergency Response Team of Ukraine (CERT-UA), attackers used the messaging app as a delivery tool for two other campaigns.

How did the targeted operation against Ukraine work?

CERT-UA revealed that the UAC-0184 group targets the members of the armed forces via messaging and other platforms. One of the methods used in the targeted operation against Ukraine was to spread malware and send files containing a HijackLoader, the Remcos RAT, or XWorm. Additionally, they share open-source programs liketuscandsigtopto extract information and files from vulnerable devices.

Threat actors sent a PPSX file as an outdated US Army manual for tank mine clearing blades. The document contained a link to an OLE object (Object Linking and Embedding). This technology lets hackers link and embed files. The link to the OLE object allowed them to exploit theMicrosoft Office VulnerabilityCVE-2017-8570.

When cybercriminals managed to exploit a vulnerable device, the PPSX file would download a remote heavily obfuscated script from the weavesilk[.]space which belongs to aRussianVPS provider.

Afterward, it would install an HTML file containing a Javascript code that modifies the Windows Registry to ensure the malware runs after a reboot. Once the operation ends, the script downloads a next-stage payload disguised as a Cisco AnyConnect VPN client.

The payload used in the targeted operation against Ukraine contained aCobalt Strike Beacon, a cracked and modified file. With it, attackers can execute commands, log keystrokes, drop files, and communicate with targeted systems.

Ultimately, even if the Deep Instinct Threat Lab researchers discovered the targeted operation against Ukraine, they couldn’t attribute it to any known group or organization. Fortunately, by updating the MS Office, future attacks shouldn’t work. Yet, to ensure your safety, download files only from officials and trusted sources. In addition, update your applications regularly.

What are your thoughts? Are you using the latest version of Microsoft Office apps? Let us know in the comments.

More about the topics:Cybersecurity,Microsoft Office

Sebastian Filipoiu

Sebastian is a content writer with a desire to learn everything new about AI and gaming. So, he spends his time writing prompts on various LLMs to understand them better. Additionally, Sebastian has experience fixing performance-related problems in video games and knows his way around Windows. Also, he is interested in anything related to quantum technology and becomes a research freak when he wants to learn more.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Sebastian Filipoiu

Sebastian is a content writer with a desire to learn everything new about AI and gaming.