Word vulnerability, Windows bug, and 'Trump's_Attack_on_Syria' document used in Sednit phishing attack
The Sednit group believed to have been involved in interference with the French election was also responsible for a phishing attack that used President Trump to lure in victims. Security firm ESET analyzed a phishing email with an attachment named Trump's_Attack_on_Syria_English.docx and found that it had the hallmarks of the well-known group.
The document was engineered to infect victims' computers with the Seduploader tool, and it did this by exploiting two vulnerabilities, one in Microsoft Word, and one in Windows. Sednit -- previously known as APT28, Fancy Bear, and Sofacy -- took advantage of a recently discovered Remote Code Execution vulnerability in Word (CVE-2017-0262) as well as a security hole in Windows (CVE-2017-0263) in executing the attack.
ESET's research shows how knowledge of a vulnerability -- even two -- may well not be enough to snare victims. A hook is needed, and this is precisely what Donald Trump serves as. Recipients open the attachment and an .eps image in the Word document triggers the CVE-2017-0262 vulnerability and ultimately loads the Seduploader tool. This in turn exploits the Local Privilege Escalation in Windows (CVE-2017-0263).
ESET's Security Intelligence Team Lead, Alexis Dorais-Joncas, says:
The Sednit group shows that it is far from done with its activities. While maintaining its old habits -- such as the reuse of code and using known attack methods as described in our extensive whitepaper, we have noted several improvements in Seduploader over the past several months.
ESET reported both vulnerabilities to Microsoft, and they have now been addressed.
Full details of ESET's analysis of the phishing campaign can be found on WeLiveSecurity.com.