Microsoft releases patches for a vulnerability in MS Word

SISA Weekly Threat Watch - 13 March 2023

Despite advances in security technology, threat actors continue to experiment with new evasion techniques to avoid detection by security solutions. Researchers observed multiple attack campaigns targeting specific industries and geographies around the world this week to drop new backdoors, crypto miners, info-stealers, trojans, and custom malware. Organizations are advised to adopt a multifaceted approach that prioritizes visibility, awareness, and strong patch management to prevent emerging threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. SCARLETEEL leverages Terraform, Kubernetes, and AWS to steal data

The SCARLETEEL attack campaign targeted containerized environments, allowing the attacker to perform privilege escalation and steal proprietary software and credentials from an AWS account. After successfully infiltrating the vulnerable public-facing service, the attacker launched an XMRig crypto miner and used a bash script to acquire credentials that allowed for further unauthorized access to the AWS cloud infrastructure and extraction of sensitive data.

The attackers disabled CloudTrail logs to reduce their digital trail, blocking Sysdig from obtaining further evidence. As a result, they were able to access more than 1TB of sensitive data, such as customer scripts, troubleshooting tools, and log files. It is recommended to patch and implement a vulnerability management cycle for applications and public-facing containers to identify and prioritize patching activities for exposed vulnerabilities. It is also critical to regularly monitor and remove outdated or unused cloud objects to ensure the security of the system.

2. Armenian entities hit by new version of OxtaRAT spying tool

A new backdoor named OxtaRAT, which allows remote access and desktop surveillance, has been used to attack entities in Armenia via the internet. Hackers used a geopolitical bait in the attack, sharing an image file (.SCR) that was posing as a PDF document.  After being launched, it instantiates the self-extracting cab file Alexander Lapshin.EXE, which drops files and runs the exec.bat script file. Using OxtaRAT, an attacker can open files on the targeted workstations, run extra commands, conduct surveillance, and steal sensitive data.

Over ten new commands providing new capabilities have been added to OxtaRAT, including support for the exfiltration of new file types, recursive enumeration of files in a folder, and gathering more metadata like size and last modified date. It is recommended to ensure that all software is updated to the latest version and security patches are applied. This can help minimize vulnerabilities that may be exploited by the malware. Users are advised to be cautious of any suspicious emails, especially those with attachments or links as malware like OxtaRAT often spreads through phishing emails.

3. CVE-2023-21716: Microsoft Word remote code execution (RCE) vulnerability

Microsoft has released patches for a critical remote code execution vulnerability found in Office Word’s RTF parser. CVE-2023-21716 vulnerability affects a wide variety of Microsoft Office, SharePoint, and 365 Apps versions. The heap corruption vulnerability, when exploited, allows adversaries to execute arbitrary commands with the victim’s privileges via malicious RTF files.  Microsoft warns that users don’t even have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start.

Due to the low complexity and high impact of potential exploitation, this vulnerability has a CVSS score of 9.8 (Critical).  The safest way to deal with the vulnerability is to install the security update from Microsoft. It is also suggested to simulate Microsoft Word CVE-2023-21716 attacks to test the effectiveness of the security controls against vulnerability exploitation attacks.

4. Experts identify info-stealer and trojan in Python Package on PyPI

A malicious Python package posted to the Python Package Index, or PyPI, contained a fully functional information stealer and remote access trojan found to be incorporated in malicious Program code. The info-stealer malware ‘Colour-Blind’ hides its harmful code in the setup script, which is run whenever the package is installed using the pip command. When the setup script is run, it downloads a ZIP file from a hard-coded Discord URL, unzips it, and then executes the main payload.

The malware launches a Flask web application on the compromised server, making it possible for threat actors to access it all through Cloudflare’s “cloudflared” reverse tunnelling service despite any inbound firewall rules. An anonymous file-transfer website called is used to exfiltrate data. Developers are recommended to verify all imported libraries in an application, to make sure that there are no accidental typos in library names. Additionally, use virtualized environments for development tasks that can be rapidly rebuilt if a malicious package gets installed.

5. Iron Tiger hackers create Linux version of their custom malware

APT Iron Tiger has upgraded SysUpdate, one of its patented malware families, to include additional functionality and support for malware infection on Linux machines. The new malware variant is very similar to Iron Tiger’s Windows version of SysUpdate in terms of functionality and is developed in C++ utilizing the Asio library. A gambling company based in the Philippines was one of the victims of this campaign, and the attack made use of a command-and-control server that was registered with a domain similar to the victim’s brand.

The campaign now employs a genuine and digitally signed “Microsoft Resource Compiler” application (rc.exe) to carry out DLL side-loading with rc.dll to load shellcode. It then copies the necessary files to a hardcoded folder and creates a service or changes the registry to establish persistence. The Linux SysUpdate variation also includes DNS tunnelling to get around network security mechanisms like firewalls which may be set up to prohibit all traffic that goes outside a certain IP address allowlist.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider