CVE-2017-11882 Exploited in Email Attacks Against European Users
CYBER NEWS

CVE-2017-11882 Exploited in Email Attacks Against European Users

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 3.00 out of 5)
Loading...

Emails delivering malware is not news but this campaign deserves attention because it uses a previously patched exploit and requires zero interaction.

An active malware campaign which is using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, Microsoft Security Intelligence team recently warned. The exploit allows attackers to automatically run malicious code without the need of any user interaction.




More about CVE-2017-11882

The vulnerability was used in combination with several others in a campaign delivering CobInt Trojan in September last year. According to its official description, Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in.

Related: CobInt Trojan Removal Instructions — Restore Your Computer From Infections.

An attacker who successfully exploits CVE-2017-11882 could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system to install programs or view, change, or delete data. An attacker could also create new accounts with full user rights.

It is curious to note that Microsoft patched CVE-2017-11882 manually in November 2017. Despite it being fixed, the exploit is still utilized in attacks, and Microsoft observed increased activity in the past few weeks.

In fact, CVE-2017-11882 is one of the most exploited vulnerabilities, and it even made it to Recorded Future’s list dedicated to the 10 most exploited vulnerabilities in 2018.

The current campaign involves the download of a RTF file which runs multiple scrips such as VBScript, PowerShell, PHP. The scripts then download the payload identified as Trojan:MSIL/Cretasker.. The attack doesn’t end here though, as the backdoor payload attempts to connect to a malicious domain that’s currently down, Microsoft explained in a series of tweets.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...