Microsoft Office, Windows Server and Lync exploits linked to Operation Hangover hackers

Security experts have linked recent targeted attacks hitting Microsoft's Office, Lync and Windows Server services to two groups of hackers.

FireEye researchers have linked the attacks to the group behind the notorious Operation Hangover attacks and a new criminal cyber-cartel codenamed Arx.

"A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover," FireEye disclosed in a post on its blog.

"However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did."

The attacks were revealed by Microsoft's Trustworthy Computing (TwC) division on Wednesday. Microsoft has since released a temporary fix for the vulnerabilities while it works on a more permanent solution.

The FireEye researchers said the two groups had very different motives and goals when targeting the exploits. The use of the exploits by the Hangover hackers is believed to be a simple extension of the group's previous information-stealing activities.

"Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan," FireEye said.

"It appears that when the target systems successfully checked in to the CnC server, the server could push down an executable file to be executed on the targeted system. The result of that action was recorded in Result.txt.

"We obtained a number of these second-stage executables listed in the Result.txt output from a Hangover-linked CnC server. These executables included a variety of tools including a reverse-shell backdoor, a keylogger, a screenshot grabber and a document exfiltration tool."

Operation Hangover was uncovered in May, when security researchers spotted a number of data-stealing attacks targeting the Apple Mac OS X operating system. The campaign targeted numerous big-name companies including Norwegian telecommunications provider Telenor.

The Arx Group by contrast was listed as having more basic criminal goals. "Malware linked to the Arx group is usually sent out in [fake] ‘Swift Payment' emails. These emails are common in spam campaigns and typically drop banking Trojans and other crimeware," read the FireEye post.

FireEye's findings have been supported by other security providers. Competitor Symantec reported uncovering similar evidence linking the attacks to the Hangover group in a blog post. "After analysing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover," read the post.

Targeted attacks have been a growing problem facing the security community, which has led many government agencies and security providers to call for increased attack data-sharing between businesses.

Symantec pledged to create a new centralised information-sharing big data hub to help customers spot and pre-empt custom-built malware used in targeted attacks at the RSA Conference held in Amsterdam in October.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Microsoft
• Symantec
• Hacking
• cyber-crime