Taiwanese Drone Makers Targeted by ‘WordDrone’ Attack Exploiting Old MS Word Flaw

September 11, 2024

The Acronis Threat Research Unit has unveiled a recent wave of cyber-attacks on Taiwanese drone manufacturers, which they've termed 'WordDrone'. This attack leverages an old vulnerability in Microsoft Word to install a backdoor named 'ClientEndPoint' on targeted systems. The attack was first discovered upon investigating a customer issue from Taiwan regarding a peculiar process of an obsolete version of Microsoft Word.

The attack employs a dynamic link library (DLL) side-loading technique, usually associated with Microsoft Word's installation process. Three files were identified in the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension. The malicious 'wwlib' DLL was side-loaded using Microsoft Word, serving as a loader for the actual payload residing inside the encrypted file with a random name. Similar two-stage attack patterns were found across multiple environments between April and July this year. Initially, the attacks target Windows desktop machines, with the second stage shifting focus to Windows servers.

The connection between this attack vector and a similar wave of cyber incidents against Taiwanese drone manufacturers by a threat actor known as 'TIDrone' is yet unclear. The latter, associated with other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware. The WordDrone attack also seems to involve an ERP component. The first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin. Some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

The attack exploits a side-loading vulnerability in an old version of Winword (v14.0.4762.1000), enabling attackers to load a DLL that has a name matching the original supplied by Microsoft. Upon further investigation, the wwlib library was found to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted file in the same directory. The payload, the ClientEndPoint backdoor, has typical malware functionality, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2.

The rapid growth of the drone industry in Taiwan, its significant technological capabilities, and its status as a US ally make it a prime target for adversaries interested in military espionage or supply chain attacks. This situation underlines the importance of vigilance against suspicious activity, particularly concerning older versions of Microsoft Word. Small businesses in the sector should be especially mindful and bolster their defenses, as traditional antivirus solutions may not be effective against the type of advanced threats they could face in the near future.

Latest News

• Ivanti Addresses Critical RCE Vulnerability in Endpoint Management Software
• Microsoft Rectifies Zero-Day Flaw in Windows Smart App Control Exploited Since 2018
• Microsoft's September 2024 Patch Tuesday Addresses 79 Security Flaws Including 4 Zero-days
• NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware
• CISA Adds SonicWall SonicOS, ImageMagick, and Linux Kernel Bugs to Its Known Exploited Vulnerabilities Catalog