Almost exactly one month ago we warned about a zero-day in Flash which was being exploited in targeted attacks. Back then, malicious SWF files were embedded inside Microsoft Excel files. Excel was used strictly as a delivery vehicle.
This month, it’s Microsoft Word’s turn. The malicious .doc referenced by Brian Krebs shares a lot of commonalities with the malicious Excel sheet from last month. So if they aren’t the same gang as before the attackers were at least inspired by this previous incident.
In contrast to last month, there’s no Poison Ivy backdoor installed in this case. This time the attack involves a Backdoor which some vendors refer to as Zolpiq, though most will be calling it something generic.
The way Zolpiq manifests itself on the system is a bit more stealthy than Poison Ivy. This may explain the shift away from the popular Poison Ivy kit. We added detection for this backdoor yesterday, as Trojan-Dropper.Win32.Small.hgt.
Overall, the same comments from last month still stand. If we want to more effectively fight these targeted attacks software vendors need to give us the option to disable features. I don’t want to view embedded Flash files in Word or Excel and neither should you. But other than uninstalling applications there isn’t a choice currently.