Kaspersky Lab’s has claimed that the Danti cyberespionage group, which is highly focused on diplomatic entities, may “already have full access to internal networks in Indian government organisations”. The security firm claimed “the threat actors behind Danti have created emails in the names of several high-ranking Indian government officials”.
Noting that it has been observing a wave of cyberespionage attacks exploiting a “CVE-2015-2545 vulnerability” in Microsoft Office software in the Asia-Pacific region, Kaspersky said that once the exploitation of the vulnerability takes place, the Danti backdoor is installed and this subsequently provides the threat actor with access to the infected machine so they can withdraw sensitive data, it added. The vulnerability was patched at the end of 2015, but still appears to be of use to these threat actors.
The Kaspersky Security Network said some Danti Trojans, delivered through spear-phishing emails, have also been detected in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. The activity was first spotted at the beginning of February and is present even today.
“The Platinum, APT16, EvilPost and SPIVY groups were already known to use the exploit,” the note said.
While the origin of Danti is unknown, Kaspersky Lab researchers suspect the group is somehow connected to the Nettraveler and DragonOK groups powered by “Chinese-speaking hackers”.
“We expect to see more incidents with this exploit, and continue to monitor new waves of attacks and the potential relationship with other attacks in the region. Waves of attacks conducted with the help of just one vulnerability suggests two things: firstly, that threat actors tend not to invest many resources into the development of sophisticated tools, like zero-day exploits, when 1-day exploits will work almost as well. Secondly, the patch-adoption rate in the target companies and government organisations is low,”said Alex Gostev, Chief Security Expert at Kaspersky Lab Research Center in APAC, urging companies to pay closer attention to patch-management in their IT infrastructure.
“The CVE-2015-2545 error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The severity of the exploit for this vulnerability is high because it uses PostScript technique and can evade Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) protection methods embedded in Windows,” Kaspersky Labs claimed.