Zero-day hacking group resorts to UNICORN SMUT-SLINGING

Playboy ploy not beneath APT3

Sysadmins who have not yet patched their Windows boxes against the 18-year-old "unicorn-like" OLE bug disclosed last month could expect a deluge of spear phishing smut from a group once confined to lofty targeted zero-day attacks.

The talented APT3 group was behind widespread zero-day attacks code-named Clandestine Fox earlier this year and was now targeting recently patched Windows vulnerabilities, according to FireEye researchers.

That group had begun spewing spear-phishing emails targeting two vulnerabilities (CVE-2014-6332, CVE-2014-4113) disclosed this month and in October respectively.

The former flaw was described by its discover Robert Freeman as a rare, "unicorn like" bug that was exploitable for the last 18 years, dating back to Windows 95.

Researchers Ned Moran, Joshua Homan, Mike Oppenheim and Mike Scott said the use of patched vulnerabilities was a shift for the group, which is more well-known for quietly popping targets with zero day flaws.

"The use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT alike, have now incorporated this exploit into their toolkits," they said in an advisory.

"[APT3] is historically known for leveraging zero-day vulnerabilities in widespread but infrequent phishing campaigns. The use of known exploits and more frequent attacks may indicate both a shift in strategy and operational tempo for this group.

"No matter the strategy, this actor has shown an ability to operate successfully."

The group in its latest campaign – dubbed Operation Double Tap – degenerated into flinging smut at targets with fake offers from "Playboy" that contained Metasploit exploit code. On execution, attackers could gain system access to the victims' machines.

Domains associated with the attacks have been linked to previous Clandestine Fox campaigns.

Technical analysis can be found in the advisory. ®


Biting the hand that feeds IT © 1998–2017