Microsoft warns: new spam campaign targets Europeans with backdoor

A new malspam campaign abuses an old Microsoft Office vulnerability CVE-2017-11882 to install a backdoor trojan on users' computers

Microsoft issued a warning about a new malspam campaign that abuses CVE-2017-11882 to install a backdoor trojan on the vulnerable system

Tech giant Microsoft issued a warning^[1] about a new Office suite exploit that is being abused by hackers with the help of malicious spam campaign. According to a brief message, the threat actors are sending out phishing emails with an attached .RTF file which, once opened, checks for vulnerable machines and installs malware without their interaction whatsoever.

The vulnerability CVE-2017-11882^[2] which was patched back in 2017, although Microsoft Intelligence observes a variety of infections in the wild:

The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.

The campaign mainly targets Europeans, as the spam emails come to the victims written in various European languages.

The malicious RTF file downloads and installs Trojan:MSIL/Cretasker

According to Microsoft-issued warning, the opened RTF file does not prompt any pop-ups or asks to enable macros, but instead runs multiple scripts which help to determine whether or not the machine can be exploited:

In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.

The executed PowerShell command then downloads another file and places it into Temp and AppData folders. Additionally, the malware also creates a scheduled task SystemIDE, which consequently enables malware to run and increase the persistence.

Windows Defender recognizes the malicious executable as Trojan:Win32/Occamy.C,^[3] while the payload is given a name Trojan:MSIL/Cretasker. Also, the exploit itself is being marked as Exploit:O97M/CVE-2017-11882.AD.

CVE-2017-11882 is dangerous, make sure you patch your system

Even though the CVE-2017-11882 vulnerability was patched back in November 2017, it still remains one of the most popular exploits used by hackers. According to research performed by Recorded Future, the flaw ranks as the third most abused vulnerability of 2018.^[4] Most recently, the bug was used is central Asia to attack governmental sites and install HawkBall backdoor.^[5]

So, why is it that popular? The answer to that is because the exploit does not require any user interaction, unlike many other MS Office exploits in the wild. In the majority of cases, users have to agree when User Account Control pop-up, or enable the macro function for the exploit to become active. And there are thousands of spam campaigns in the wild, and users need to learn how to protect themselves.

The way spam campaigns work is relatively simple: bad actors send out thousands of emails or (random) potential victims. While some messages can be well crafted, others barely consist of a few words – as is the case with the currently active campaign.

Some spam emails might be exceptionally well written and be very believable. To negate any type of consequences when it comes to CVE-2017-11882, users should immediately patch their systems.