Microsoft has sent out a warning to users regarding a newly discovered email phishing campaign. Bad actors are distributing malicious RTF files across all versions of Microsoft Office and Windows. What’s interesting about this attack is it is an exploit for a vulnerability Microsoft patched back in 2017.
Known as CVE-2017-11882, the vulnerability allows RTF files loaded with malicious content to be implemented. Attackers can run their code without needing any interaction from the user. Microsoft says while a patch was issued for all Office and Windows versions dating to 2000 in 2017, the exploit is still being used in attacks.
In a tweet, the company said users still need to download and install the relevant security fixes.
“Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.”
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
In summary of the vulnerability, Tripwire explains how nearly two decades of Windows and Office versions are affected. Attackers can leverage the vulnerability to run arbitrary code on a machine that has not been patched.
“In [an] analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction.”
Attack
The attack is implemented as a classic phishing move. Users receive and email with an RTF file attachment. The emails are in several European languages and look legitimate. Unwitting users who click the file download scripts that run backdoor malicious content. This payload attempts to connect to the command-and-control server and take control over a machine.
It is worth noting that allowing the attack to implement is a two-step process. Firstly, the user needs to click on the attachment, which displays an intentionally blurred document. Users are prompted to enable editing to clear the blurry content. If this is done, the loading of the malicious content begins.
Users can avoid being caught by this bug in several ways. The best method is to follow Microsoft’s advice and make sure your machine has the 2017 patch. Of course, as always, users should avoid from clicking links or attachments in emails unless they are completely sure of their origin.
