Microsoft Warns of Email Attacks Executing Code Using an Old Bug

Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, CVE-2017-11882.

The exploit allows attackers to automatically run malicious code without requiring user interaction.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,” Microsoft Security Intelligence tweeted on Friday. “Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.”

> An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
>
> — Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019

The flaw is a stack-based overflow bug in Microsoft Equation Editor.

“The security flaw affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000,” Tripwire explained in a write-up, posted Monday. “The security weakness enables a bad actor to execute arbitrary code on a vulnerable machine. In [an] analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction.”

In this current wave of attacks targets receive an email in one of several European languages. If the recipient falls for the lure and clicks on the RTF file, it downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) which in turn download a backdoor payload. The backdoor payload then tries to connect to command-and-control server (which was down at the time of Microsoft Security Intelligence’s warning).

The same bug was at the heart of a campaign in late 2018 and early 2019 that distributed the most recent version of the .Hawkeye keylogger. Emails arrived with malicious Microsoft Excel, RTF and Doc attachments loaded with an exploit for the arbitrary code-execution bug.

Once a victim clicked on the attachment, the email-senders have intentionally made the contents of the documents look blurry — and the user was prompted to enable editing to have a clearer view of the contents. After they did that, the injection process began, with the HawkEye keylogger being downloaded. The malware then snatched up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.

Cybercriminals using older bugs is a clear indicator that better patching habits in order: “The fact that digital attacks continue to leverage exploit code for old vulnerabilities like CVE-2017-11882 highlights the need for organizations to keep their software up-to-date by investing in their vulnerability management capabilities,” noted Tripwire.

_Ransomware is on the rise: __Don’t miss our free Threatpost webinar __on the ransomware threat landscape, June 19 at 2 p.m. ET. __Join _Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type,****with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.