All the latest UK technology news, reviews and analysis

Microsoft Office, Windows Server and Lync exploits linked to Operation Hangover hackers

07 Nov 2013
Security padlock image

Security experts have linked recent targeted attacks hitting Microsoft's Office, Lync and Windows Server services to two groups of hackers.

FireEye researchers have linked the attacks to the group behind the notorious Operation Hangover attacks and a new criminal cyber-cartel codenamed Arx.

"A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover," FireEye disclosed in a post on its blog.

"However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did."

The attacks were revealed by Microsoft's Trustworthy Computing (TwC) division on Wednesday. Microsoft has since released a temporary fix for the vulnerabilities while it works on a more permanent solution.

The FireEye researchers said the two groups had very different motives and goals when targeting the exploits. The use of the exploits by the Hangover hackers is believed to be a simple extension of the group's previous information-stealing activities.

"Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan," FireEye said.

"It appears that when the target systems successfully checked in to the CnC server, the server could push down an executable file to be executed on the targeted system. The result of that action was recorded in Result.txt.

"We obtained a number of these second-stage executables listed in the Result.txt output from a Hangover-linked CnC server. These executables included a variety of tools including a reverse-shell backdoor, a keylogger, a screenshot grabber and a document exfiltration tool."

Operation Hangover was uncovered in May, when security researchers spotted a number of data-stealing attacks targeting the Apple Mac OS X operating system. The campaign targeted numerous big-name companies including Norwegian telecommunications provider Telenor.

The Arx Group by contrast was listed as having more basic criminal goals. "Malware linked to the Arx group is usually sent out in [fake] ‘Swift Payment' emails. These emails are common in spam campaigns and typically drop banking Trojans and other crimeware," read the FireEye post.

FireEye's findings have been supported by other security providers. Competitor Symantec reported uncovering similar evidence linking the attacks to the Hangover group in a blog post. "After analysing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover," read the post.

Targeted attacks have been a growing problem facing the security community, which has led many government agencies and security providers to call for increased attack data-sharing between businesses.

Symantec pledged to create a new centralised information-sharing big data hub to help customers spot and pre-empt custom-built malware used in targeted attacks at the RSA Conference held in Amsterdam in October.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus

Samsung Galaxy S5 video review

We break down the key strengths and weaknesses of Samsung's latest Android flagship

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

HR Business Partner


4 x PHP/Zend developer (PHP, Zend, Doctrine, Agile)

4 x PHP/Zend developer (PHP, Zend, Doctrine, Agile...


RISK AND CONTROL ANALYST Location: Cheshire Salary...

JavaScript Developer (OO JavaScript, HTML5, CSS3) - URGENT

JavaScript Developer (OO JavaScript, HTML5, CSS3...
To send to more than one email address, simply separate each address with a comma.