On Friday afternoon, Microsoft security investigators issued a warning about an ongoing spam wave, spreading email that carries malicious RTF documents that infect users without user interaction with malware, once users open the RTF documents.
Microsoft said that the spam wave appears to target European users as emails are sent in different European languages.
“The new campaign downloads the RTF file and runs several different types of scripts (VBScript, PowerShell, PHP, etc) in order to download the payload,” says the Microsoft Security Intelligence team.
The final payload is a Trojan backdoor, said Microsoft. Fortunately, the Trojan command and control server seems to have been dropped by Friday after the security alert issued by Microsoft.
However, future campaigns that could exploit the same tactic to spread a new version of the backdoor Trojan that connects to a working server allowing crooks direct access to infected computers are always in danger.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) 7 June 2019
The good news is that this spam campaign is completely safe for users. The initial vector for infection is based on an old Office vulnerability, patched by Microsoft in November 2017. Users applying security updates for November 2017 Patch Tuesday should be safe.
The CVE-2017-11882 vulnerability is tracked. This is a code name for a vulnerability in an older version of the equation editor component that ships with Office installs and used in addition to the newer Microsoft equation editor module for compatibility purposes.
Back in 2017, Embedi security researchers discovered a bug in this older component that allows threatening actors, when a user opens the armed office file containing a special exploit, to execute code on a user’s device without any interaction.
Because Microsoft seems to have lost the code for this old component, and Microsoft decided in 2018 to delete the old Equation Editor component from the Office pack in January 2018 after discovering the second Equation Editor bug.
However, many users and companies often fail or forget to install security updates promptly.
CVE-2017-11882, ONE OF TODAY’S MOST POPULAR VULNERABILITIES
Malware operator has jumped on this exploit and armed it since the end of 2017, knowing that they have plenty of time to benefit from forgotten users who don’t have security updates.
And they did. They used the exploit repeatedly, many times. The CVE-2017-11882 was the third most exploited vulnerability in 2018 in a Recorded Future report and the same Kaspersky report also ranked it in the top of the list.
The exploit itself is a gift since, unlike most other Office operations, it doesn’t need user interaction, requiring users to enable macro or disable different security features over popups.
While this week, Microsoft warned that CVE-2017-11882 would be used for mass spam campaigns, hacker groups such as economic spying and intelligence collectiveness are also very popular.
In two different reports this week, for example, FireEye said that CVE-2017-11882 was shared between various Chinese cyber-espionage groups.
The fact that several Chinese state-sponsored hacking groups use this feat is proof of its efficiency and another reason why users have to be conscious of this and apply the patches needed.