The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.
Exploit-MSExcel.h.
Vulnerability details
Advisory: SB2007020204 - Buffer overflow in Microsoft Excel
Vulnerable component: Microsoft Excel
CVE-ID: CVE-2007-0671
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-119 - Memory corruption
Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Known APT campaigns:
Sykipot campaigns
Sykipot attacks trace back to 2006.
The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).
According to Symantec, the Sykipot group has Chinese roots.
External links:
https://www.symantec.com/security_response/writeup.jsp?docid=2007-021911-2650-99
https://www.symantec.com/connect/blogs/latest-office-zero-day-vulnerability
https://technet.microsoft.com/en-us/library/security/ms07-015.aspx
https://technet.microsoft.com/library/security/932553
http://blog.trendmicro.com/trendlabs-security-intelligence/the-sykipot-campaign/