Iranian APT group invades government networks with malware via vulnerability in Outlook

The United States Cyber Command warned that cybercriminals exploit vulnerabilities in Outlook email client, trying to introduce malware into government networks.

This is a vulnerability CVE-2017-11774, discovered in 2017 and fixed by Microsoft in October of the same year. This bug allows going beyond the Outlook sandbox environment and execute malicious code in the system.

In 2018, the Iranian pro-government group APT33 (or Elfin) adopted the vulnerability, mainly known for developing the Shamoon malware that was erasing data from hard drives. According to the information security company FireEye, in the attacks last December, the group introduced backdoors to web servers and used CVE-2017-11774 to infect the systems of victims of malware.

APT33 attacks coincided with reports about new versions of Shamoon. Although experts did not find a connection between these two events, according to Chronicle Security expert Brandon Levene, samples downloaded by the US Cyber Command on VirusTotal are related to the 2017 Shamoon attacks.

“Three of five malwares are tools for managing compromised web servers, and the other two are downloaders that use PowerShell to download the PUPY RAT Trojan for remote access”, – said Brandon Levene in an interview with ZDNet.

According to the expert, if the attacks with the exploitation of CVE-2017-11774 and these malicious data are linked, this explains how exactly APT33/Shamoon operators compromise objects of the attacks. Previously there was little information about the infection vectors.

In November last year, the US Cyber Command commenced a project in which it publishes on VirusTotal non-classified malware used in various APT groupings.