Microsoft Warns of Large Spam Campaign Hitting EuropeAttackers Using Older Office Exploit
Microsoft is warning about a large-scale spam campaign that is targeting European users by taking advance of an old Office exploit to send emails that contain malware in malicious Rich Text Format (RTF) attachments.
In a series of tweets sent from the Microsoft Security Intelligence team on Friday, researcher warned of the spam campaign found in malicious emails written in different European languages. By using the older exploit, referred to as CVE-2017-11882, attackers can automatically run malicious code without requiring user interaction, according to Microsoft.
First found in 2017, CVE-2017-11882 specifically targets Equation Editor, a feature found in older version of Office that has since been removed and replaced by Microsoft. This particular component allowed Office users to build complex equations within Office documents.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
While Microsoft issued a patch for this particular vulnerability two years ago, company security researchers continue to see the exploit used in various attacks, with a significant increase over the last several weeks.
For instance, Cisco Talos researchers recently wrote about a series of cyberattacks called "Frankenstein" earlier this month, which refers to the attackers piecing together several different and unrelated open source components as part of the campaign. In this case, the attackers targeted victims using malicious documents that took advantage of the CVE-2017-11882 exploit.
Older Exploits Still Working
What makes this particular exploit troublesome is that its allows attackers to create RTF or Word documents that once opened by the victim, can automatically execute commands. From there, an attacker could take over an entire system if the user had administrative credentials.
"If the current user is logged on with administrative user rights, an attacker could take control of the affected system," according to Microsoft's original 2017 alert. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
In the current version of this attack, Microsoft researchers warn that once the malicious attachment is open by the user, the malware will attempt to run multiple scripts, including ones using VBScript, PowerShell and PHP, before attempting to download the payload.
This particular payload is a Trojan that looks to connect to a specific domain. By the time Microsoft issued its warning on Friday, however, the attackers took the malicious domain down. However, since attackers have been taking advantage of this particular exploit for the past two years, it's possible that they could pick-up this campaign at another point.
In an analysis of the original CVE-2017-11882 exploit in 2017, Palo Alto Networks' Unit 42 warned that attackers were likely to take advantage of this particular flaw for "years to come."
As part of its new warning, the Microsoft Security Intelligence team is urging companies that own older versions of Office that contain Equation Editor to apply that patch issued two years ago. An alternative is to disable Equation Editor if it's still in use.
If the patch is properly applied, attackers cannot take advantage of the exploits, and Microsoft has since removed Equation Editor from all newer version of Office due to a series of security problems with this particular component.
This is not the only patch that Microsoft has been issuing warnings about. Over the last month, the company, along with the U.S. National Security Agency, have warned users to update older Windows systems against BlueKeep, a vulnerability within the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device).