Emails delivering RTF files equipped with an exploit that requires no user interaction (except for opening the booby-trapped file) are hitting European users’ inboxes, Microsoft researchers have warned.

Exploit delivers backdoor

The exploit takes advantage of a vulnerability in an older version of the Office Equation Editor, which was manually patched by Microsoft in November 2017.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks,” the researchers noted.

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.”

The malicious payload is detected as Trojan:MSIL/Cretasker.

An oldie but goodie

Despite the vulnerability having been patched ages ago, attackers apparently still believe that many users haven’t implemented the fixes and are still vulnerable.

CVE-2017-11882 is, in fact, so popular with attackers that it made Recorded Future’s list of the 10 most exploited vulnerabilities in 2018.

And it’s not just random malware peddlers that take advantage of it: FireEye recently reported it being used, along another Equation Editor flaw (CVE-2018-0802), by state-sponsored APT actors.