Security researchers at Microsoft have issued a warning concerning an ongoing spam wave which utilizes malicious RTF documents to infect users’ systems with malware.
According to the company, the spam wave is specifically targeting European users as the emails are sent in various European languages. The Microsoft Security Intelligence team explained how the campaign worked, saying:
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload.”
The final payload is a backdoor trojan whose command and control servers went offline around the same time Microsoft issued its warning on the campaign.
Equation Editor vulnerability
As the initial infection vector relies on an older Office vulnerability, users can be completely safe from this spam campaign by updating their software as Microsoft patched the vulnerability back in November of 2017.
The vulnerability is referred to as CVE-2017-11882 and is a codename for a vulnerability in an older version of the Equation Editor component included with Office. Security researchers from Embedi discovered a bug in this older component back in 2017 that allowed hackers to execute code on a user’s device after they opened a weaponized Office file containing a special exploit.
Once a second Equation Editor bug was discovered in 2018, Microsoft decided to completely remove the older Equation Editor component from Office. However, as organizations and individuals often fail or forget to install software updates, cybercriminals were still able to exploit the vulnerability even after the company released an update that would mitigate the issue.
According to a report from Recorded Future as well as one from Kaspersky Lab, the CVE-2017-11882 vulnerability was one of the top exploited vulnerabilities of 2018 as hackers continued to prey on users that had yet to update their software.