MS Word Vulnerability Exploited in Operation Pony Express to Spread Malware

Operation Pony Express was a spear-phishing campaign that was detected by Sophos researchers between April and May 2015. The research team identified that the malware was spread through a common MS Word vulnerability

Now, Sophos, a cyber-security firm revealed that an inherent vulnerability in the MS Word Intruder kit was being distributed actively at $140 by Objekt, a cyber-criminal group. This group only sells exploit kits to those attackers who tend to focus on smaller targets.

According to Sophos analysts, very few instances of MWI being exploited have been witnessed so far but whenever it has happened, the infection rate has been extremely high, i-e, 30%.

All About Operation Pony Express:

1. This operation was a spear-phishing campaign launched somewhere between April and May 2015.

2. In this particular campaign, the hackers relied upon sending targeted emails to organizations and individuals. 

3. Fake RTF files coming from RingCentral were contained in the emails.

4. RingCentral is a popular cloud-based communication facility.

5. When users opened these fake emails, the MS Word vulnerability was exploited through MWI.

6. Thus, the computers got infected with “downloader” malware.

Although hackers usually sent the malicious software directly with the MWI kit, during this specific campaign, Op Pony Express, hackers opted to provide an intermediary downloader.

We may never know the reason behind this shift in strategy, but one thing is sure that the downloader delivered a highly damaging malware later on.

Sophos researchers identified various infections with Dyzap, Rovinx, Fareit and Wauchos.

An interesting fact is that this operation employed a unique way to deliver malware because hackers used two C&C servers. The reason was that first server distributed the downloader whereas the other one operated the final malware payload.

These two C&C servers have been traced back to Ukraine and Russia, claims Sophos.

However, it is highly unlikely that attackers were stupid enough to use their actual identities and addresses while registering the domains and hosting accounts.

Sophos researchers believe that US, UK, Canada, and China-based users were highly and widely affected by this campaign.

Image Source: Sophos

However, if any of the users had the latest MS Word version installed on their computers then they would have been spared the damaging MWI exploit.

Related Posts