Attackers are weaponizing an “historic” model of Microsoft Phrase in a current wave of assaults on Taiwanese drone makers that is delivering malware geared toward cyber espionage and disrupting the military- and satellite-related industrial provide chains.
Researchers from the Acronis Risk Analysis Unit have found an assault they’ve dubbed “WordDrone” that makes use of a dynamic hyperlink library (DLL) side-loading method widespread within the set up strategy of Microsoft Phrase, to put in a persistent backdoor referred to as ClientEndPoint on contaminated techniques.
The Acronis group members found the bizarre assault vector after they investigated a buyer escalation from Taiwan “a few unusually behaving strategy of an historic model of Microsoft Phrase,” they wrote in a weblog submit revealed Sept. 10.
“Three information have been dropped at the system: a respectable copy of Winword 2010, a signed wwlib.dll file, and a file with a random identify and file extension,” they wrote within the submit. “Microsoft Phrase was used to aspect load the malicious ‘wwlib’ DLL, which acts as a loader for the precise payload, the one residing contained in the encrypted file with a random identify.”
They finally discovered comparable two-stage assault eventualities throughout a number of environments between April and July this yr. The primary stage of the assaults focuses on Home windows desktop machines, whereas the second stage sees attackers making an attempt to maneuver over to Home windows servers, the researchers stated.
Similarities to “TIDrone” Marketing campaign
It is unclear if the assault vector is said to a comparable wave of cyber incidents towards Taiwanese drone makers by a risk actor dubbed “TIDrone” reported by researchers at Pattern Micro. That actor, linked to different Chinese language-speaking risk teams, makes use of enterprise useful resource planning (ERP) software program or distant desktop instruments to deploy proprietary malware.
Equally, the WordDrone assault additionally seems to have an ERP part, the researchers stated. Whereas they could not discover “definitive proof about how attackers have been gaining preliminary entry,” the primary look of the malicious information within the assault was contained in the folder of a well-liked Taiwanese ERP software program referred to as Digiwin.
“Upon additional investigation, we discovered a number of parts of Digiwin … being deployed within the goal environments,” the researchers wrote. Furthermore, a few of Digiwin’s parts contained identified vulnerabilities like CVE-2024-40521, a distant code execution (RCE) flaw with a CVSS rating of 8.8.
“Based mostly on all the knowledge collected, we consider that there’s excessive chance of exploitation or a provide chain assault being concerned with the ERP software program in query,” the researchers famous.
Focusing on a Aspect-Loading Flaw
The assault leverages a side-loading vulnerability in an previous model of Winword (v14.0.4762.1000) permitting attackers to make use of it to load a DLL that has a reputation matching the unique equipped by Microsoft.
“In the exact same listing the place Winword was situated, we may see solely two further information, a … DLL referred to as wwlib.dll, which is generally a part of a typical Microsoft Workplace set up bundle — this time having an unusually small measurement — and one other file referred to as ‘gimaqkwo.iqq’ which already regarded suspicious,” the researchers defined.
Upon additional inspection, the wwlib library turned out to be appearing as a loader with the only real function of studying the primary payload that’s saved within the encrypted “gimaqkwo.iqq” file in the identical listing, they stated. The file identify of the payload — the ClientEndPoint backdoor — is saved in an encrypted type within the loader.
The backdoor has performance typical to such a malware, together with the power to pay attention to consumer periods, ship and obtain instructions from the attacker-controlled command and management (C2), and exfiltrate information and ship it again to the C2. It additionally has a proxy configuration mode through which one contaminated host can obtain information and instructions from one other contaminated host on the native community whereas solely considered one of them is in direct communication with the C2.
Why Goal Taiwanese Drone Makers?
The truth that two separate safety analysis groups have been investigating a spate of cyberattacks towards Taiwanese drone makers brings up the query of motive on the a part of attackers, which the Acronis group tried to handle.
Drone manufacturing has elevated remarkably in Taiwan since 2022, with important monetary backing from the federal government, the researchers famous. There presently are a few dozen Taiwanese corporations within the house — typically offering parts for authentic tools producers (OEMs) — and much more if the nation’s international aerospace trade is considered, they stated.
This funding in drone manufacturing and the appreciable technological prowess of Taiwan, in addition to its place as a US ally, “make them a primary goal for adversaries occupied with army espionage or provide chain assaults,” the researchers noticed.
“The acute progress of the drone trade prior to now decade additionally had an unlucky aspect impact — even shopper fashions are used for army functions now,” they wrote within the submit.
The analysis group shared their intelligence with Taiwan’s acceptable cybersecurity authorities and included an inventory of indicators of compromise (IoCs) within the weblog submit. As drone makers of all sizes could possibly be focused by WordDrone assaults, defenders ought to be conscious of any suspicious exercise, particularly because it pertains to older variations of Microsoft Phrase that may be current of their setting. Small companies within the sector specifically ought to be conscious and shore up defenses, the researchers wrote, “as conventional AV options are now not environment friendly towards the kind of superior threats they may face within the close to future.”
Do not miss the newest Darkish Studying Confidential podcast, the place we speak to 2 cybersecurity professionals who have been arrested in Dallas County, Iowa and compelled to spend the evening in jail — only for doing their pen-testing jobs. Pay attention now!