Vietnamese Users Targeted with Credential-Stealing Malware
An old vulnerability in Microsoft Word has triggered a series of infections with password-stealing malware in Vietnam, according to researchers at Metasploit-maker Rapid7.
The attack starts with specially crafted Microsoft Word documents that trigger CVE-2012-0158 and CVE-2012-1856, two vulnerabilities mitigated by the vendor last year. Until now, two known attacks use a Vietnamese document about “reviewing and discussing best practices for teaching and researching scientific topics,” and an English one detailing the coverage of GSM networks.
When opened, the exploit code triggers a vulnerability in the word processor, which results in stealthy installation of a piece of malware that steals credentials from the local storage of Internet Explorer and Mozilla Firefox. To steal data from Google Chrome, the malware also deploys a keylogger.
“Recently the growth of amount and scale of targeted attacks has come to the point w[h]ere they are starting to look more like opportunistic carpet bombings rather than ninja strikes,” wrote security researcher Claudio Guarnieri on the blog. “It’s common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post.”
Today’s incident is yet another reminder about the necessity of deploying security hotfixes as soon as they are made available by the vendor, especially when it’s a common known bug mitigated one year ago.