Vulnerability in Office used by various spy groups to steal classified information

Kaspersky has published a report which states that Asian environments are being targeted by at least 4 spy groups which use the Microsoft Office vulnerability CVE-2015-2545.

The researchers from Kaspersky stated that:

CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.

The vulnerability allows the attacker to execute an arbitrary code – the exploit itself uses PostScript and it is capable of evading the ASLR (Address Space Layout Randomization) and the DEP (Data Execution Prevention) protection methods.

The report also states that the first time this exploit was seen was when the Platinum group used the vulnerability in an attack on Indian targets.

Threat actors which are known for using this vulnerability:

  • Dantl
  • APT16
  • EvllPOST

The attackers use fake documents in order to infect the unaware user. Once the victim receives an malicious document and opens it – the malware will start running on the background while the victim will see a decoy document.


Share This Message