Cybercriminals are successfully exploiting a vulnerability present in Microsoft Office Equation Editor for the past 17 years for distributing malware. It is a backdoor that can provide an attacker full control of the system and allow them the privilege of executing commands and extracting files.
The malware is capable of infecting a system entirely through the powerful penetration testing tools called Cobalt Strike. It is a type of software created for Red Team Operations and Adversary Simulations for accessing secret channels of a system.
The campaign is mainly targeted towards Russian speaking users since the spam email is created as a Visa notification message informing recipients about changes in the rules of payWave service. The email contains an RTF document that has been protected with a password while the user is sent the unlocking credentials. This particular file has the malicious malware code, however since it is password protected, therefore, it becomes difficult to detect that it is loaded with malware.
Once opened, the user gets to view a blank document, and just the message Enable Editing is visible. This message is only to cover the actual functioning that is happening in the background. The malicious code gets downloaded and runs a PowerShell script so that Cobalt Strike gets installed and the system is hijacked.
The flaw in MS Office categorized as CVE-2017-11882 is although old, but it was discovered earlier in November ’17 by Embedi security and has been patched by Microsoft in its November 2017 Patch Tuesday security update. This is why cybercriminals were able to exploit it since it was discovered pretty late and not many users were aware of it.
It is a remote code execution vulnerability that resulted from the software’s mechanism of handling certain objects stored in the system’s memory. Through exploiting this flaw, attackers can execute arbitrary code, and if the user has admin rights, then the hacker can issue various commands. It also allows attackers to control the entire system by infecting it with malware. Apparently, the Cobalt hacking group is responsible for this new campaign.
According to Fortinet security researchers Jasper Manual and Joie Salvio, the presence of such exploitable vulnerabilities incredible software allow attackers an excellent opportunity of launching this kind of campaigns. Hackers are always searching for vulnerabilities and can exploit them regardless if the flaw is old or new or a patch has been released or not.
“This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case,” wrote Manual and Salvio.
Therefore, it is important that users of Microsoft Office download the security update for this vulnerability immediately to ensure that they stay protected from this campaign.