The attack was reported on February 2007. The exploit dropped malware that used www.top10member.com C&C server. According to TrendMicro, the malware functionality was very similar to BKDR_SYKIPOT.B.
Vulnerable component: Microsoft Excel
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when handling malformed records in Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Known APT campaigns:
Sykipot attacks trace back to 2006.
The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).
According to Symantec, the Sykipot group has Chinese roots.