Microsoft warns about email spam campaign abusing Office vulnerability

[LASER_oneXM]

Content source

https://www.zdnet.com/article/microsoft-warns-about-email-spam-campaign-abusing-office-vulnerability/

Microsoft's security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.

Microsoft said the spam wave appears to target European users, as the emails are sent in various European languages.

"In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload," the Microsoft Security Intelligence team said.
The final payload is a backdoor trojan, Microsoft said. Fortunately, the trojan's command and control server appears to have gone down by Friday, when Microsoft issued its security alert.

 

[Andy Ful]

This vulnerability was patched in the year 2018, but is still dangerous in Enterprises. The infection chain is well known:
RTF file > MS Office > vulnerability in Equation Editor > dropped malicious Microsoft Word plugin WLL to Word startup folder.
The weaponized RTF file can be delivered in several ways, for example, as a spam attachment (RTF document or RTF embedded in PDF document), or via phishing URL to the weaponized document, etc.

 

[upnorth]

This vulnerability was patched in the year 2018.

It was actually patched already 2017 but, the problem is sadly not that easy automatically fixed.

Users who applied the November 2017 Patch Tuesday security updates should be safe.

it is known that many users and companies often fail or forget to install security updates in a timely manner.

Malware operators have jumped on this exploit and have weaponized it ever since the end of 2017, knowing they'll have ample time to take advantage of forgetful users who don't bother with security updates. And they did. They used the exploit over and over again, numerous times. A Recorded Future report ranked the CVE-2017-11882 as the third-most exploited vulnerability of 2018, and similar Kaspersky report also ranked it at the top of the list.

Microsoft warns about email spam campaign abusing Office vulnerability

Dangerous spam campaign targets European users with backdoor trojan.

www.zdnet.com

Microsoft Office and its vulnerabilities

The Microsoft Office threat landscape, and the technologies that help us catch related zero-day exploits, were the focus of this talk at the SAS 2019 conference.

www.kaspersky.com

 

[Andy Ful]

It was actually patched already 2017 but, the problem is sadly not that easy automatically fixed.

Microsoft warns about email spam campaign abusing Office vulnerability

Dangerous spam campaign targets European users with backdoor trojan.

www.zdnet.com

Microsoft Office and its vulnerabilities

The Microsoft Office threat landscape, and the technologies that help us catch related zero-day exploits, were the focus of this talk at the SAS 2019 conference.

www.kaspersky.com

The article:

Microsoft warns about email spam campaign abusing Office vulnerability

Dangerous spam campaign targets European users with backdoor trojan.

www.zdnet.com

refers to another article from FireEye Labs:
"For example, this week, in two different reports [1, 2], FireEye said CVE-2017-11882 was shared among different Chinese cyber-espionage groups."
This fragment is somewhat misguiding because the first reference is an article:

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

An attack against the government sector in Central Asia using well-known Microsoft Office vulnerabilities.

www.fireeye.com

which correctly informs that the malware exploits Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802, both are related to eqnedt.exe (the second vulnerability is from the year 2018).