Windows exploit being used to attack ME and Asia systems

Hackers using zero-day exploit in Windows to deliver cybercrime Trojan

Tags: FireEye ( Corporation
  • E-Mail
Windows exploit being used to attack ME and Asia systems The attack uses an exploit in the way Microsoft Graphics processes TIFF images.
By  Mark Sutton Published  November 7, 2013

A vulnerability in a graphics component of Microsoft Windows, Office and Lync is being actively exploited by a hacking group to target systems in the Middle East and South Asia.

The zero-day vulnerability exploits the processing of TIFF images by Microsoft Graphics, and is being used to deliver the Citadel Trojan, which is typically used to steal banking details.

Security specialist FireEye has said that information obtained from the command and control servers of the group responsible, which it has dubbed the Arx group, has comprised 619 targets (4024 unique IP addresses), the majority of which are in India (63%) and Pakistan (19%).

FireEye believes that there is a link between these attacks and the Operation Hangover attacks, a multi-year series of coordinated campaigns targeting systems around the world with a primary focus on organisations in Pakistan.

A blog post from the company said:

"Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.

"However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before to the Hangover group did."

The post noted that the Arx group usually sends out malware in emails that claim to be SWIFT payments, with the emails commonly used in spam campaigns and typically dropping banking Trojans and other crimeware.

At present Microsoft does not have a security update to remove the exploit, but it has a suggested workaround at its Security Tech Center, to disable the TIFF codec.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code