Home > Cyber News > CVE-2017-11882 Exploited in Email Attacks Against European Users

CVE-2017-11882 Exploited in Email Attacks Against European Users

Emails delivering malware is not news but this campaign deserves attention because it uses a previously patched exploit and requires zero interaction.

An active malware campaign which is using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, Microsoft Security Intelligence team recently warned. The exploit allows attackers to automatically run malicious code without the need of any user interaction.

More about CVE-2017-11882

The vulnerability was used in combination with several others in a campaign delivering CobInt Trojan in September last year. According to its official description, Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in.

An attacker who successfully exploits CVE-2017-11882 could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system to install programs or view, change, or delete data. An attacker could also create new accounts with full user rights.

It is curious to note that Microsoft patched CVE-2017-11882 manually in November 2017. Despite it being fixed, the exploit is still utilized in attacks, and Microsoft observed increased activity in the past few weeks.

In fact, CVE-2017-11882 is one of the most exploited vulnerabilities, and it even made it to Recorded Future’s list dedicated to the 10 most exploited vulnerabilities in 2018.

The current campaign involves the download of a RTF file which runs multiple scrips such as VBScript, PowerShell, PHP. The scripts then download the payload identified as Trojan:MSIL/Cretasker.. The attack doesn’t end here though, as the backdoor payload attempts to connect to a malicious domain that’s currently down, Microsoft explained in a series of tweets.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree