Microsoft has alerted users to a new campaign utilizing a vulnerability which was discovered and patched back in 2017 to download a backdoor Trojan to victim machines.
Spam emails have been detected in various European languages carrying malicious RTF attachments which feature an exploit for CVE-2017-11882, the computing giant said in a series of tweets on Friday.
“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates,” it said.
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.”
Although the domain in question is currently out-of-service, hackers may in the future update the attack to connect to a working C&C domain. This could enable the download of additional payloads, leading to infection with ransomware or banking Trojans, information-theft and more.
“Office 365 ATP detects the emails and attachments used in this campaign. Windows Defender ATP detects the documents as Exploit:O97M/CVE-2017-11882.AD and the payload as Trojan:MSIL/Cretasker,” Redmond’s security team concluded.
“Other mitigations, like attack surface reduction rules, also block the exploit.”
The software flaw in question, which exists in Microsoft Office’s Equation Editor, has been incredibly popular since it was discovered a couple of years ago as it requires no user interaction to work.
It was used by APT34, an Iranian cyber espionage group, and just last week was spotted in attacks on central government targets delivering the Hawkball backdoor. It’s also been used to spread the infamous Cobalt malware and a RAT which uses the popular Telegram Messenger app for its command and control (C&C).