Microsoft is warning of an active spam campaign targeting European languages that leverages an exploit to infect simply by opening the attachment.

Microsoft issued a warning on Friday about an ongoing spam campaign that is targeting European users. Spam messages are carrying weaponized RTF documents that could infect users with malware without any user interaction, just opening the RTF documents.

The spam messages are sent in various European languages, threat actors are exploiting the Microsoft Office and Wordpad CVE-2017-11882 vulnerability. The tech giant published a series of tweet warning of the spam campaign:

An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw — Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.” warns Microsoft.

Office 365 ATP detects the emails and attachments used in this campaign. Windows Defender ATP detects the documents as Exploit:O97M/CVE-2017-11882.AD and the payload as Trojan:MSIL/Cretasker. Other mitigations, like attack surface reduction rules, also block the exploit. — Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019

The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild, with a peak in the number of attacks leveraging the issue over the past few weeks.

“Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.” states Microsoft.

Once the RTF attachment is opened, it will execute multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload.

The payload used in this campaign is a backdoor attempt to connect to a malicious domain that is no longer accessible.

However, experts at Microsoft believe that attackers may use the same tactic to spread a new version of the backdoor that connects to an active C2.

Pierluigi Paganini

(SecurityAffairs – CVE-2017-11882, spam campaign)