Yet Another Spam Campaign Uses CVE-2017-11882 to Deliver Malware
We recently touched upon the problem of vulnerability management and patching. The fact of the matter is, a very large portion of users and organizations that rely heavily on computers are completely unaware of how important it is to keep track of the all-important security updates that software vendors release every single day. There are endless examples that can show us how true this is, and the latest one comes in the form of a spam campaign that Microsoft warned us about last week.
Despite its age, CVE-2017-11882 is still actively abused
In November 2017, security researchers were a bit baffled by a spam campaign that was delivering Loki – a spyware program designed to steal sensitive information. The messages did carry a malicious file with them which was pretty standard for a Loki campaign at the time, but the attachments weren't the typical macro-enabled Microsoft Office files. They were Rich Text Format (RTF) documents that automatically downloaded the payload the moment they were opened. They required no other interaction from the user.
After some more research, the experts discovered that the files were exploiting a vulnerability in Microsoft Office. The security flaw was given a tracking code – CVE-2017-11882 – and it turned out that it had been introduced a whopping 17 years before its discovery with the addition of MS Office's Equation Editor – a component used for inserting objects into Office files. November 2017's Patch Tuesday included a fix for the security flaw, and a January 2018 update removed the Equation Editor completely. For people who keep their software up-to-date, CVE-2017-11882 is no longer a problem. For many, however, this is not the case.
Some people have yet to patch CVE-2017-11882
On Friday, Microsoft used its Security Intelligence account on Twitter to warn people of a spam campaign that is utilizing CVE-2017-11882. The messages have been flying around for a "few weeks", and they are primarily targeting European users. Once opened, the attached RTF file downloads a script which installs a backdoor trojan on the computer. Last week, the crooks' Command & Control (C&C) server was down, but there's no telling when they're going to get it back up and running. Microsoft tracks the payload as Trojan:MSIL/Cretasker and promises that the built-in security tools in Office and Windows can protect users from a successful infection.
The fact that the crooks are actively using CVE-2017-11882 almost two years after its discovery is significant. They apparently believe that despite the availability of a patch, people still haven't secured their MS Office installations. At the same time, the fact that Microsoft warns people about the campaign shows that the hackers' assumptions are most likely correct.
Why do hackers love CVE-2017-11882 so much?
Over the last year and a half, CVE-2017-11882 has been used against both large organizations and regular users, and the recent spam campaign shows that cybercriminals have no intention of slowing down, which shouldn't really be that surprising given the smooth infection chain it provides. The vulnerability's main advantage stems from the fact that other than persuading the victim to open the malicious attachment, the hackers don't need to do anything else. In other words, a CVE-2017-11882 exploit depends on two factors – a woefully out-of-date MS Office installation and a user who is all-too-willing to open email attachments. Both of these, it seems, are not that difficult to come by.