McAfee researchers have discovered a new RTF exploit aimed at Indian people and businesses
The exploit takes advantage of the Microsoft Word ActiveX control vulnerability CVE-2012-0158 and uses timely news to serve up malicious content, according to McAfee's post on the attack. The attack is delivered through an attachment on a spear phishing email. The exploit drops dw20.exe in the %temp% directory and then goes on to drop gupdate.exe in the same spot. This last file will connect to control servers.
This attack drops a malware identified as Win32/Syndicasec, which could allow attackers to run arbitrary commands with elevated privileges.
Although Windows has already patched its Word ActiveX vulnerability, the McAfee researchers write that, “the vulnerability has been used in several targeted campaigns in the past and continues to be popular in ongoing targeted attacks.”