Emails delivering malware is not news but this campaign deserves attention because it uses a previously patched exploit and requires zero interaction.
An active malware campaign which is using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, Microsoft Security Intelligence team recently warned. The exploit allows attackers to automatically run malicious code without the need of any user interaction.
More about CVE-2017-11882
The vulnerability was used in combination with several others in a campaign delivering CobInt Trojan in September last year. According to its official description, Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in.
An attacker who successfully exploits CVE-2017-11882 could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system to install programs or view, change, or delete data. An attacker could also create new accounts with full user rights.
It is curious to note that Microsoft patched CVE-2017-11882 manually in November 2017. Despite it being fixed, the exploit is still utilized in attacks, and Microsoft observed increased activity in the past few weeks.
In fact, CVE-2017-11882 is one of the most exploited vulnerabilities, and it even made it to Recorded Future’s list dedicated to the 10 most exploited vulnerabilities in 2018.
The current campaign involves the download of a RTF file which runs multiple scrips such as VBScript, PowerShell, PHP. The scripts then download the payload identified as Trojan:MSIL/Cretasker.. The attack doesn’t end here though, as the backdoor payload attempts to connect to a malicious domain that’s currently down, Microsoft explained in a series of tweets.