Malware-Loaded Microsoft Document Aimed At NATO Governments

NATO has been targeted by malware hiding in Microsoft Word document targeted at member governments of the intergovernmental military alliance in order to carryout reconnaissance and analysis.

Cisco’s Talos security research team identified the malware, noting it had several unusual features, such as the ability to avoid sandbox detection, exploit Adobe Flash, and swap out the malware payload with junk data to overload the resource pools of simplistic security devices.

Malware meets NATO

The Talos researchers noted that the malware campaign happened across Christmas and the New Year, and through analysis found that the Microsoft World document had a succession of embedded objects that enabled the execution of the malware payload through various stages, including forming a connection with a Command and Control server and targeting information on the victims machine to ascertain the version of the operating system and Adobe Flash it is running.

“The analysis of the Microsoft Office document shows an advanced workflow of infection. The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly,” the security researchers said.

“This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan.

“It’s important to note that the actor realised security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices. These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.”

So far, it appears that no-one in NATO has fallen victim to that hack attack, but the sophistication of the malware indicates that it has come from a skilled hacker or hacker collective, potentially with the backing of a state sponsor. However, as it currently stands this is simply speculation.

With ransomware wreaking havoc in hotels and the return of the HummingBad malware, 2017 look set to be a year full of nasty cyber attacks waiting to catch out the unwary.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago