Researchers at FireEye have uncovered a new advanced persistent threat crew dubbed APT3, which is using exploits targeting recently disclosed vulnerabilities in Windows. The experts at FireEye believe that APT3 is the same actor behind the “Operation Clandestine Fox” uncovered by the company in April 2014. The hackers exploited an IE zero-day vulnerability in a series of targeted attacks, now the ATP3 group is exploiting a series of flaws in Microsoft OS, including the CVE-2014-6332 vulnerability recently patched that was exploitable for 18 years before the update.
FireEye reported in a blog post the details of the attacks run by the APT3 that exploited the Windows OLE bug and also another Windows privilege escalation vulnerability (CVE-2014-4113).
The joint use of the two vulnerabilities suggests that APT3 has apparently moved from leveraging zero-day exploits, to attacking targets with “known exploits or social engineering”.
“The use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT alike, have now incorporated this exploit into their toolkits. Further, the use of both of these two known vulnerabilities in tandem is notable for APT3. This actor is historically known for leveraging zero-day vulnerabilities in widespread but infrequent phishing campaigns. The use of known exploits and more frequent attacks may indicate both a shift in strategy and operational tempo for this group.” is reported in the post.
The experts highlighted the tactical change of APT3 group, the lack of zero-day exploits may indicate that the attackers have changed strategy, opting for social engineering attacks, and it is likely they decided to increase the frequency of the attacks.
In one attack against an energy company, the APT3 has used as attack vector an email from a supposed job applicant seeking employment. The supposed applicant contacted an employee on a popular social networking site and later sent him a resume via email that contained a malicious file used to drop a backdoor called “Cookie Cutter.”
In the last wave of attacks, dubbed “Operation Double Tap”, the APT3 sent malicious emails claiming to offer a free month’s membership to a Playboy website.
The post published by FireEye also includes the indicators of compromise (IOCs).
(Security Affairs – APT3, cyber espionage)