Taiwan has fallen prey to a Microsoft Word vulnerability that was identified back in March and is still being used by attackers despite the fact that it has been patched.
Trend Micro reports that a range of attacks have been carried out against both Taiwanese government bodies and educational institutions in the country even though the vulnerability was patched up during Microsoft’s April Patch Tuesday release.
The first attack was in the form of a malicious email attachment that was sent to a government employee and it had a title linked to a national poll that made it look legitimate.
“The attachment is actually the exploit, detected as TROJ_ARTIEF.ZTBD-R. It drops a file detected as BKDR_SIMBOTDRP.ZTBD-R, which then drops two files – TROJ_SIMBOTLDR.ZTBD-R and TROJ_SIMBOTENC.ZTBD-R. These two files finally lead to the final payload detected as BKDR_SIMBOT.SMC,” explained Trend Micro’s advisory.
A Taiwanese educational establishment was the subject of the second attack when, again, an email attachment was used to gain access to the recipient’s computer and subsequent network. It discussed free trade issues and the attachment had a title related to a work project.
Both attacks have links to the Taidoor campaign that has been active since 2009 and this was detected as the two have a similar network traffic structure and both attacks had almost identical characteristics compared to previous attacks.
An additional attack that uses the same vulnerability targeted a mailing service in the same country and this time the attachment masqueraded as a list of new books from a particular publishing house.
To prevent further attacks or damage, Trend Micro reminds everyone, regardless of whether they are enterprises or regular users, to install patches as soon as they are released. Employee education is also cited as a key way to prevent targeted attacks and make sure that malicious email attachments aren’t opened.