In a recent surge of attacks targeting Taiwanese drone makers, cybercriminals have been weaponizing an outdated version of Microsoft Word to deliver malware designed for cyber espionage and disruption of military- and satellite-related supply chains.
The attack, known as “WordDrone,” was uncovered by researchers from the Acronis Threat Research Unit. They identified a technique involving the use of a dynamic link library (DLL) side-loading method commonly seen during the installation process of Microsoft Word. This method enables the installation of a persistent backdoor, named ClientEndPoint, on compromised systems.
The Acronis team became aware of this unique attack vector when investigating a customer complaint from Taiwan regarding suspicious activity in an old version of Microsoft Word. Upon further examination, they discovered that three files – a genuine copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and extension – were introduced to the system. The malicious ‘wwlib’ DLL, acting as a loader for the encrypted payload, was loaded via Microsoft Word.
Further analysis revealed a two-stage attack pattern observed across various environments between April and July of the current year. The initial stage targets Windows desktop machines, while the subsequent stage involves a pivot to Windows servers by the attackers.
The resemblance of the WordDrone attack to a previous campaign targeting Taiwanese drone manufacturers by the threat actor “TIDrone” raises questions of a possible connection. TIDrone, associated with Chinese-speaking threat groups, utilizes ERP software or remote desktop tools to deploy custom malware. Interestingly, the WordDrone attack demonstrates similarities with TIDrone in terms of using ERP components and exploiting vulnerabilities like CVE-2024-40521.
The attackers exploit a side-loading flaw in an outdated version of Winword, allowing the loading of a DLL with a matching name to the original Microsoft-supplied one. This DLL acts as a loader for the main payload stored in an encrypted file, known as the ClientEndPoint backdoor. This backdoor possesses typical malicious functionalities such as eavesdropping on user sessions, executing commands from a C2 server, data exfiltration, and supporting proxy configurations for communication within infected hosts.
The motive behind targeting Taiwanese drone makers is of particular interest. With the significant growth of the drone manufacturing industry in Taiwan backed by government support and technological advancements, the country has become a prime target for entities interested in military espionage and supply chain attacks. The researchers noted that even consumer drones are now being used for military purposes, making the industry a lucrative target for cyber threats.
In response to these attacks, the researchers have shared intelligence with cybersecurity authorities in Taiwan and provided indicators of compromise (IoCs). They urge vigilance among drone makers, especially those using older versions of Microsoft Word, to watch for suspicious activities. Small businesses in the sector are advised to enhance their defenses as traditional antivirus solutions may not be effective against sophisticated threats.
The evolving landscape of cyber threats underscores the importance of proactive cybersecurity measures and continuous monitoring to safeguard critical infrastructure and sensitive data from malicious actors.