Microsoft’s security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.
Microsoft said the spam wave appears to target European users, as the emails are sent in various European languages.
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload,” the Microsoft Security Intelligence team said.
The final payload is a backdoor trojan, Microsoft said. Fortunately, the trojan’s command and control server appears to have gone down by Friday, when Microsoft issued its security alert.
However, there is always the danger of future campaigns that may exploit the same tactic to spread a new version of the backdoor trojan that connects to a working server, allowing crooks direct access to infected computers.
The good news is that users can be completely safe from this spam campaign. The initial infection vector relies on an old Office vulnerability that Microsoft patched back in November 2017.
Users who applied the November 2017 Patch Tuesday security updates should be safe.
The vulnerability is tracked as CVE-2017-11882. This is a codename for a vulnerability in an older version of the Equation Editor component that ships with Office installs, and used for compatibility purposes in addition to Microsoft’s newer Equation Editor module.
Back in 2017, security researchers from Embedi discovered a bug in this older component that allowed threat actors to execute code on users’ device without any user interaction whenever a user would open a weaponized Office file that contained a special exploit.
Because Microsoft appeared to have lost the source code for this old component, and after the discovery of a second Equation Editor bug in 2018, Microsoft decided to remove the older Equation Editor component altogether from the Office pack in January 2018.
However, it is known that many users and companies often fail or forget to install security updates in a timely manner.
CVE-2017-11882, ONE OF TODAY’S MOST POPULAR VULNERABILITIES
Malware operators have jumped on this exploit and have weaponized it ever since the end of 2017, knowing they’ll have ample time to take advantage of forgetful users who don’t bother with security updates.
And they did. They used the exploit over and over again, numerous times. A Recorded Future report ranked the CVE-2017-11882 as the third-most exploited vulnerability of 2018, and similar Kaspersky report also ranked it at the top of the list.
The exploit itself is a godsend, as it needs no user interaction, unlike most other Office exploits, which require that users enable macros or disable various security features via popups.
While Microsoft has warned this week that CVE-2017-11882 is being used for mass-spam campaigns, the exploit is also very popular with hacker groups engaged in very targeted attacks, such as economical espionage or intelligence gathering.
For example, this week, in two different reports [1, 2], FireEye said CVE-2017-11882 was shared among different Chinese cyber-espionage groups.
The fact that several Chinese state-sponsored hacking groups are using this exploit stands testament to its efficiency and another reason why users need to be aware of it and apply the necessary patches.