Microsoft Office vulnerability (CVE-2017-11882) continuously being utilized to download Infostealer malware

Product / Version includes:

OfficeScanXG , Apex One2019 , Deep Discovery InspectorAll , Worry-Free Business Security Advanced10.0 , Worry-Free Business Security Standard10.0 , ScanMail for Exchange14.0 , Deep Security12.0 , Deep Discovery Email InspectorAll

Last updated: 2021/08/28

Solution ID: KA-0011280

Category: Remove a Malware / Virus

Summary

Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) is a remote code execution vulnerability which can enable an attacker to execute arbitrary code on the compromised machine. The vulnerability resides on a MS Office component called Equation Editor, an out-of-process COM server hosted by eqnedt32.exe, which was compiled on November 2009 and still being used in supported versions of MS Office without further recompilation. This vulnerability was patched by Microsoft on November 14, 2017 however it’s still being actively used in attacks. Malwares that utilize this exploit usually arrives via malspam campaign as a weaponized Microsoft Office document. The targeted platforms are MS Office 2007, 2010, 2013, and 2016 (including Office 360).

In line with the current events, COVID-19 themed or fake shipping documents, quotation or invoice malspam and phishing mails are used to trick the victim to open the malicious attachment. These attachments are documents such as Word, Excel, and Rich Text Format (RTF) files to leverage the vulnerability and download malware payload on the compromised machine. This vulnerability serves as a downloader for infostealer malware such as FAREIT, LOKI or NEGASTEAL.

Behaviour

Downloads information stealer malware such as FAREIT, LOKI or NEGASTEAL
Uses Equation Editor to download and execute the malware payload

Capabilities

Exploits
Download Routine

Impact

Compromise system security - downloads and installs additional malwares

Additional Threat Reference Information

Infection Chain

cid:image003.jpg@01D63290.18816160

MITRE ATT&CK Matrix

BEHAVIOR	TACTIC	TECHNIQUE
Arrives as an Invoice document attachment	Initial Access	T1193 Spearphishing Attachment
File is obfuscated with several invalid control words and whitespaces	Defense Evasion	T1027 Obfuscated Files or Information
Takes advantage of CVE-2017-11882 exploit upon opening of the document	Execution	T1203 Exploitation for Client Execution
Uses eqnedt32.exe to execute arbitrary code	Lateral Movement, Execution	T1175 Component Object Model and Distributed COM
Downloads and execute malware payload to compromised machine	Command and Control, Lateral Movement	T1105 Remote File Copy

Available Solutions

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 5432	May 20, 2020	-
URL Protection	Yes	In the Cloud	-	-
Advanced Threat Scan Engine (ATSE)	Yes	15.869.00	May 15, 2020	EXPL_CVE1711882
Predictive Machine Learning	Yes	In the Cloud	-	Downloader.VBA.TRX.XXVBAF01FF007 Downloader.VBA.TRX.XXVBAF01FF008
File detection (VSAPI)	Yes	ENT OPR 15.882.05	May 21, 2020	Trojan.W97M.CVE201711882.SMOH Trojan.W97M.CVE201711882.BCKCFH Trojan.W97M.CVE201711882.PVSMW Trojan.W97M.CVE201711882.SNO Trojan.X97M.CVE201711882.YQUOOSV
Network Pattern	No	-	-	-
Behavioral Monitoring (AEGIS)	Yes	TMTD OPR 2121	May 22, 2020	-

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Microsoft Office vulnerability (CVE-2017-11882) continuously being utilized to download Infostealer malware

Microsoft Office vulnerability (CVE-2017-11882) continuously being utilized to download Infostealer malware

Product / Version includes:

Summary