Microsoft warns: Discovering Office exploits

Microsoft (Microsoft) issued a warning that spam campaigns in Europe are exploiting a vulnerability to perform attacks, as long as the attachment file is opened, it may infect users.

According to Microsoft, this is an active email malware campaign for Europe that spreads RTF files with the CVE-2017-11882 vulnerability, which allows an attacker to automatically run malicious code without user interaction.

The CVE-2017-11882 vulnerability allows the creation of RTF and Word documents and automatically executes commands as soon as they are opened. The vulnerability was patched in 2017, but Microsoft said it has seen an increase in attacks using such vulnerabilities in the past few weeks.

According to Microsoft, when the attachment opens, it "executes multiple scripts of different types (VBScript, PowerShell, PHP, etc.) to download the payload."

"When we test one of the sample documents, when we open the document, it immediately starts executing the script downloaded from Pastebin, which executes the PowerShell command. Then, the PowerShell command will download a base64 encoded file and save it to %temp%\bakdraw.exe. Then copy a copy of bakdraw.exe to %UserProfile% \ AppData \ Roaming \ SystemIDE and configure a scheduling task called SystemIDE to start the executable and add persistence.

Microsoft declares this executable to be a backdoor that is currently configured to connect to a malicious domain that is no longer accessible. This means that even if the computer is infected, the backdoor cannot communicate with its command and control server to receive commands. However, this payload can be easily switched to workload, so Microsoft recommends that all Windows users install security updates for this vulnerability as soon as possible.

It is worth mentioning that FireEye also recently discovered the CVE-2017-11882 vulnerability, which can be used for an attack against Central Asia and installed a new back door called HawkBall. It is not clear whether the two activities are related.


Post a Comment