Microsoft zero-day was used in Citadel Trojan campaign, as well as targeted attacks

Graham Cluley
Graham Cluley
@[email protected]

CitadelResearchers at FireEye say that they have uncovered evidence that the recently-announced Microsoft zero-day vulnerability is not just being used in targeted attacks, but also has been used in wider finanically-motivated malware campaigns.

Yesterday, Microsoft announced a critical security vulnerability that was being exploited in targeted attacks – mostly against “companies based in the Middle East and South Asia”.

FireEye says that it has connected the attack with the “Operation Hangover” attacks against India, Pakistan and other countries uncovered earlier this year.

But what’s perhaps most interesting to regular computer users is that the CVE-2013-3906 zero-day vulnerability that can exist in TIFF images was also being used in attacks that spread versions of the sophisticated Citadel banking Trojan horse.

Sign up to our free newsletter.
Security news, advice, and tips.

FireEye links these, more widespread, attacks to the Arx hacking group who typically spammed out malware-laden messages posing as “SWIFT Payment” emails.

Malware campaign
Malware campaign. Image courtesy of FireEye

Opening the attached Word DOC files would cause your computer to install further malware, with the intention of spying upon your online banking and stealing your credentials.

Boobytrapped Word document
Boobytrapped Word document. Image courtesy of FireEye

This discovery underlines for all at-risk Microsoft users the importance of installing the temporary emergency fix-it tool. It’s not just big corporations and nation states who could be in risk of having their computers compromised by this security flaw.

Read more on the FireEye blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.