On Twitter, the Microsoft Security Intelligence profile has posted a warning about a new spam campaign that uses malicious attachments and is targeting Europe. The attack exploits a security vulnerability in RTF files called CVE-2017-11882 that can reach users of Microsoft Office and Microsoft WordPad. The attackers aim to persuade users to open a malicious file that will infect their devices with malware.
“An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction”, said the warning.
The good news is that the CVE-2017-11882 vulnerability was already remedied in November 2017, but Microsoft reports that it has seen an increase in the number of attacks that exploit the vulnerability using malicious files. Therefore, the recommendation is that users always keep their systems up to date.
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down”.
Understanding the CVE-2017-11882 vulnerability
On its website, Microsoft claims that the vulnerability CVE-2017-11882, which targets Microsoft Office and Microsoft WordPad users, could allow the hacker to take control of the victim's machine. In practice, this means that victims with administrative user rights may be more impacted.
“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The scam needs minimal user interaction. It's only necessary that the victim opens the file. For this, we already know that crooks can develop phishing and spam campaigns, in order to lie and persuade the victim to interact with the malicious file. In addition to email attachments, cybercriminals can also use malicious websites and malicious links to spread their threats.
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability”, says Microsoft.