Search for an article

Select a plan

Choose a plan from below, subscribe, and get access to our exclusive articles!

Monthly plan

$
13
$
0
billed monthly

Yearly plan

$
100
$
0
billed yearly

All plans include

  • Donec sagittis elementum
  • Cras tempor massa
  • Mauris eget nulla ut
  • Maecenas nec mollis
  • Donec feugiat rhoncus
  • Sed tristique laoreet
  • Fusce luctus quis urna
  • In eu nulla vehicula
  • Duis eu luctus metus
  • Maecenas consectetur
  • Vivamus mauris purus
  • Aenean neque ipsum
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

HomeCII/OTError in MSFT Word Causes Controversial Activity by Taiwanese Drone-Maker

Error in MSFT Word Causes Controversial Activity by Taiwanese Drone-Maker

Published on

spot_img

In a recent surge of attacks targeting Taiwanese drone makers, cybercriminals have been weaponizing an outdated version of Microsoft Word to deliver malware designed for cyber espionage and disruption of military- and satellite-related supply chains.

The attack, known as “WordDrone,” was uncovered by researchers from the Acronis Threat Research Unit. They identified a technique involving the use of a dynamic link library (DLL) side-loading method commonly seen during the installation process of Microsoft Word. This method enables the installation of a persistent backdoor, named ClientEndPoint, on compromised systems.

The Acronis team became aware of this unique attack vector when investigating a customer complaint from Taiwan regarding suspicious activity in an old version of Microsoft Word. Upon further examination, they discovered that three files – a genuine copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and extension – were introduced to the system. The malicious ‘wwlib’ DLL, acting as a loader for the encrypted payload, was loaded via Microsoft Word.

Further analysis revealed a two-stage attack pattern observed across various environments between April and July of the current year. The initial stage targets Windows desktop machines, while the subsequent stage involves a pivot to Windows servers by the attackers.

The resemblance of the WordDrone attack to a previous campaign targeting Taiwanese drone manufacturers by the threat actor “TIDrone” raises questions of a possible connection. TIDrone, associated with Chinese-speaking threat groups, utilizes ERP software or remote desktop tools to deploy custom malware. Interestingly, the WordDrone attack demonstrates similarities with TIDrone in terms of using ERP components and exploiting vulnerabilities like CVE-2024-40521.

The attackers exploit a side-loading flaw in an outdated version of Winword, allowing the loading of a DLL with a matching name to the original Microsoft-supplied one. This DLL acts as a loader for the main payload stored in an encrypted file, known as the ClientEndPoint backdoor. This backdoor possesses typical malicious functionalities such as eavesdropping on user sessions, executing commands from a C2 server, data exfiltration, and supporting proxy configurations for communication within infected hosts.

The motive behind targeting Taiwanese drone makers is of particular interest. With the significant growth of the drone manufacturing industry in Taiwan backed by government support and technological advancements, the country has become a prime target for entities interested in military espionage and supply chain attacks. The researchers noted that even consumer drones are now being used for military purposes, making the industry a lucrative target for cyber threats.

In response to these attacks, the researchers have shared intelligence with cybersecurity authorities in Taiwan and provided indicators of compromise (IoCs). They urge vigilance among drone makers, especially those using older versions of Microsoft Word, to watch for suspicious activities. Small businesses in the sector are advised to enhance their defenses as traditional antivirus solutions may not be effective against sophisticated threats.

The evolving landscape of cyber threats underscores the importance of proactive cybersecurity measures and continuous monitoring to safeguard critical infrastructure and sensitive data from malicious actors.

Source link

Latest articles

10 Best XDR Tools and How to Evaluate Them

Extended Detection and Response (XDR) tools have become increasingly essential in the modern IT...

Vishal Rao to Serve as CEO of Trellix, Skyhigh

STG recently announced that Vishal Rao will be taking over as the CEO of...

Russian Hackers Cause Swiss Cities’ Websites to Crash

Russian hackers have targeted canton Schaffhausen, in northern Switzerland and the cities of Geneva...

CISA Issues Warning on Critical Ivanti CSA Vulnerabilities: Immediate Patching Required

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)...

More like this

10 Best XDR Tools and How to Evaluate Them

Extended Detection and Response (XDR) tools have become increasingly essential in the modern IT...

Vishal Rao to Serve as CEO of Trellix, Skyhigh

STG recently announced that Vishal Rao will be taking over as the CEO of...

Russian Hackers Cause Swiss Cities’ Websites to Crash

Russian hackers have targeted canton Schaffhausen, in northern Switzerland and the cities of Geneva...