Kaspersky Lab, a global cyber security company’s Global Research and Analysis Team has been. For the last few months, observing a wave of cyber espionage attacks. These attacks are reportedly conducted by different groups across the Asia-Pacific (APAC) and Far East regions. All these attackers share one common feature. That is, in order to infect their victims with malware, they use an exploit for the CVE-2015-2545 vulnerability. This weakness in the Microsoft Office software was reportedly patched in December 2015, but still appears to be of use to such attackers. Some of the cyber espionage groups known to exploit this vulnerability are The Platinum, APT16, EvilPost, and SPIVY. They are now joined by a fairly new and hitherto unknown group called Danti.
An exploit refers to a malicious tool that is widely utilised by cyber espionage groups and other cybercriminals to silently infect their targeted machines with a certain type of malware. Years ago, the use of so-called zero-day vulnerabilities was the defining characteristic of sophisticated threat actors. These are used in the wild before the vendor of the affected software releases the security patch. But things have changed nowadays. Cyber espionage groups are more likely to use exploits for known vulnerabilities, just because it is cheaper and seems to deliver an acceptable rate of infection.
The CVE-2015-2545 error, the one which was patched at the end of last year, enables an attacker to execute an arbitrary code using a specially crafted EPS image file. The severity of the exploit for this vulnerability is very high because it is known to use PostScript technique and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods that are embedded in Windows. Danti is the latest group that has been spotted exploiting this vulnerability.
