(Image by Pete Linfort / Pixabay)

Security researchers of Fortinet recently discovered a malicious document that is suspected to be targeting the Philippines using a Microsoft Office code. The document is named “Draft PH-US Dialogue on Cyber Security.doc.”

According to cybersecurity software firm Fortinet, the malware called Hussarini or Sarhust belongs to a backdoor family that uses APT (advanced persistent threats) attacks. It has been targeting countries in the Asean region that are vulnerable to malware attacks.

Why the Philippines?

The security researchers explained that the country is reported to be the most exposed and most vulnerable to cyberattacks that target APTs. Some organizations in the country are still using legacy computers that are no longer supported by sophisticated anti-virus or anti-malware software.

The exploit document targets the Microsoft CVE-2017-11882 vulnerability. When it finds its way in, the malicious document then “drops two files — Outllib.dll and OutExtra.exe — in the %Temp% directory.”

Cybercriminals will exploit Microsoft’s finder.exe (OutExtra.exe) and use it as Hussarini backdoor via DLL hijacking.

DDL hijacking is a means to deceive an application — .exe — into loading the malicious code. This way, the malware can go through its target without being noticed by the “Host Intrusion Prevention System (HIPS) of security programs that monitor the behaviors of executed files.”

The researchers were able to spot “decoy” documents from hxxp://157.52.167.71:29317/office/word/2003/ph2/philip.varilla, in which they suspect the “ph” in “ph2” could mean Philippines. They later found out that “philip.varilla” belongs to the service director of the Philippines’ Department of Information and Communications Technology (DICT).

However, Hussarini has limited capabilities and these include downloading and executing files/components.

The researchers further explained that “Hussarini uses a dynamic domain to maintain anonymity and to also possibly be able to change the C&C server IP address. At the time of this analysis, however, we only saw it resolved to the IP address 157.52.167.71, which is the same IP used to host the decoy document.”