Microsoft Warns Users About Ongoing Email Spam Campaign
Microsoft warns users about an ongoing email spam campaign that abuses an Office vulnerability and seems to target European users. The malware, it is reported, is spread through infected RTF documents attached to emails.
ZDNet reports, “Microsoft’s security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.”
The spam emails appear to target European users as they are sent in different European languages.
When the RTF document attached to an email is downloaded, it runs multiple scripts of different types, like PowerShell, PHP, VBScript etc, to download the final payload, which is a backdoor trojan.
However, it seems that after Microsoft issued its alert, the C&C server of the backdoor trojan is down. The ZDNet report, dated June 9, 2019, says, “Fortunately, the trojan’s command and control server appears to have gone down by Friday, when Microsoft issued its security alert.”
The report, however, reminds us that there could be such other future campaigns; it says, “However, there is always the danger of future campaigns that may exploit the same tactic to spread a new version of the backdoor trojan that connects to a working server, allowing crooks direct access to infected computers.”
The vulnerability that hackers have exploited to execute this campaign is an old Office vulnerability- CVE-2017-11882, which was patched by Microsoft in an update issued in November 2017. Thus, users who had applied the patch are safe from the current campaign.
CVE-2017-11882, which has been used many times by cybercriminals since the end of 2017, is, according to ZDNet security reporter Catalin Cimpanu, “…a codename for a vulnerability in an older version of the Equation Editor component that ships with Office installs, and used for compatibility purposes in addition to Microsoft’s newer Equation Editor module.”
He explains, “Back in 2017, security researchers from Embedi discovered a bug in this older component that allowed threat actors to execute code on users’ device without any user interaction whenever a user would open a weaponized Office file that contained a special exploit… Because Microsoft appeared to have lost the source code for this old component, and after the discovery of a second Equation Editor bug in 2018, Microsoft decided to remove the older Equation Editor component altogether from the Office pack in January 2018.”
Despite the vulnerability being detected and patched, hackers, as we have already mentioned, went on exploiting it again and again as many companies and users are known to have the habit of forgetting to install security updates on time.
ZDNet points out that while most other Office exploits require that users enable macros or disable various security features via popups, this exploit doesn’t need any kind of user interaction. Hence, this exploit is being used for mass-spam campaigns and continues to be popular among many hacker groups engaged in highly targeted attacks.