Microsoft Warns of Malspam Campaign Abusing Office Vulnerability to Distribute Backdoor

Posted on June 10, 2019
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
Microsoft is warning users to be on the lookout for a malspam campaign that's abusing an Office vulnerability in order to distribute a backdoor. On 7 June, Microsoft Security Intelligence took to Twitter to raise awareness of the operation. The campaign, which remains active as of this writing, begins when users receive a malspam email in one of several different European languages. Each of these emails attempt to trick users into opening an attached RTF document. https://twitter.com/MsftSecIntel/status/1137118977983897600?ref_src=twsrc%5Etfw This file moves the infection chain forward by exploiting CVE-2017-11882. Fixed by Microsoft in November 2017, the vulnerability consists of a stack-based overflow flaw that resides in Microsoft Equation Editor (EQNEDT32.EXE). Based on this location, digital security firm Embedi found that the security flaw affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000. The security weakness enables a bad actor to execute arbitrary code on a vulnerable machine. In Embedi's analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction. Just a few weeks after Microsoft issued its fix, researchers spotted another campaign leveraging a component of the Cobalt Strike penetration tool to abuse the vulnerability and infect unpatched systems with malware. In this newly wave of attacks, the malicious RTF file downloads and then runs scripts of VBScript, PowerShell and others to download a backdoor payload. This backdoor then attempts to connect to a malicious domain, a location which was down at the time of Microsoft Security Intelligence's warning. The fact that digital attacks continue to leverage exploit code for old vulnerabilities like CVE-2017-11882 highlights the need for organizations to keep their software up-to-date by investing in their vulnerability management capabilities. They might also want to consider strengthening their ability to detect advanced malware that leverage software-based flaws as an attack vector.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!