Hacking campaign uses old Microsoft Office flaws to create backdoors, steal files

The Felixroot campaign deploys vulnerabilities that were exposed -- and patched -- last year in a bid to deploy file-stealing malware.
Written by Danny Palmer, Senior Writer

Video: Cyber threat intelligence vs business risk intelligence: Both are key to your firm's security

A new hacking campaign aims to use old vulnerabilities in Microsoft Office software to create a backdoor into Windows systems in order to spy and steal files.

Dubbed Felixroot, the malware is delivered to individuals in Ukraine using a weaponised phishing email claiming to contain seminar information on environmental protection, indicating that the selected victims are likely to be highly targeted. The message is written in Russian and claims to come from Kazakhstan.

The Felixroot campaign has been unearthed by researchers at FireEye, who have linked it to a previous campaign using the same malware which targeted Ukrainians in September last year.

This campaign exploits two Microsoft Office vulnerabilities: CVE-2017-0199 and CVE-2017-11882.

CVE-2017-0199 allows attackers to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit, while CVE-2017-1882 allows attackers to run arbitrary code and potentially take control of a whole system.

Both exploits came to light last year and have been used by malicious actors in various campaigns. In this new attack, the two exploits are being used to run Felixroot malware to create a backdoor in infected systems -- and comes with all the processes needed to secretly monitor and exfiltate files.

"Felixroot is looking to steal uploaded files from the targeted machine along with the system's information. The architecture of the backdoor the includes features for Remote Shell, downloading, and executing files from the C2 server," Swapnil Patil, researcher at FireEye, told ZDNet.

In this case, the payload is delivered with a lure document 'Seminar.rtf', which exploits CVE-2017-0199 to download a second-stage payload onto the victim's computer. This second-stage payload is equipped with CVE-2017-11882, enabling attackers to gain significant control over the system.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

This backdoor component comes with custom encryption and is loaded directly into memory without touching the disk, boosting its chances of remaining hidden as it carries out its tasks.

Once successfully installed into the memory, the payload will sleep for 10 minutes before looking for the command to be launched and connecting with the C&C server, which stolen data is secretly sent to.

As part of the process, the malware also retrieves information about the infected system, including name, user name, volume serial number, Windows version, and processor architecture.

Ultimately, Felixroot is designed to be a backdoor into the entire system and several commands reflect its intention to exfiltrate data. In an effort to avoid making its presence known, the malware sleeps for one minute following each task and before executing the next.

Once Felixroot is done with its snooping, the malicious processes are terminated and all footprints on the targeted machine are removed. It's a mode of operational security designed to ensure that even if the attack is discovered, it can't be traced back to the group behind it.

As the campaign is still under investigation, FireEye hasn't revealed the specific targets of the attack or who the perpetrator might be. However, it's believed the Felixroot is still active and could eventually expand the scope of its attacks.

See also: Can Russian hackers be stopped? Here's why it might take 20 years[TechRepublic]

"All industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting. Also, in near future we can expect some more features included in the malware by threat actors," said Patil.

Felixroot takes advantage of vulnerabilities which patches have long been available for, so one of the best ways to avoid falling victm to this campaign is to ensure systems are updated and so protected against the exploits.

However, this and other campaigns currently remain successful because plenty of organisations have failed to apply these updates.

"Despite the release of patches, these vulnerabilities are targeted in the wild by threat actors because of the high percentage of success," said Patil.


Hacking campaign combines attacks to target government, finance, and energy

An attack group operating out of Iran is copying techniques used in successful high-profile attacks -- but forget to cover their tracks, leaving their tactics exposed.

Hacking campaign targets iPhone users with data-stealing, location-tracking malware

Campaign delivers fake versions of WhatsApp and Telegram to victims - and those behind it have tried to make it look like a Russian attack when it isn't.

Phishing alert: Hacking gang turns to new tactics in malware campaign

Security company warns 'SilverTerrier' group poses a threat to businesses.

Securing the power grid from hacking, sabotage, and other threats

Frank Gaffney, founder and president of the Center for Security Policy, talks about securing the power grid from EMP, hacking, sabotage, and solar flares. He thinks transformers are the key element.


Editorial standards