The CVE-2017-8570 vulnerability of Microsoft Office allows a remote code execution vulnerability because it handles objects in memory. An attacker can execute arbitrary code on the system because of improper handling of objects in memory. By tricking a victim to open a weaponized document, the attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Some malicious Rich Text Format (RTF) documents used as malspam attachments leverage the vulnerability to install malicious payload on the machine of victims. These malspam and phishing emails use social engineering techniques such as fake product order requests and invoice documents to trick the victims to open the attachments. This vulnerability now serves as downloader to other high-profile malware such as Loki and Nanocore.
- Downloads high-profile malware namely Loki and Nanocore
- Uses composite moniker in the RTF file to execute a Windows Script Component (WSC) file or scriptlet (.sct) on the victim’s machine
- Bypasses the Microsoft patch for CVE-2017-0199
- Download Routine
- Compromise system security - downloads and installs additional malware
Sample Spam (Product Order Request)
|Detection/Policy/Rules||Pattern Branch/Version||Release Date|
| || |
ENT OPR 15.311.00
August 20, 2019
|Pattern Branch/Version||Release Date|
TMTD OPR 1899
May 10, 2019
In the Cloud
|Pattern Version||Release Date|
|AS Pattern 4860||August 20, 2019|
Solution Map: What should customers do?
|Trend Micro Solution||Product||Latest Version||Virus Pattern||Anti-spam Pattern||Network Pattern||Behavior Monitoring||Predictive Learning Machine||Web Reputation|
|Endpoint Security||Apex One||2019||Update Pattern via |
|Not Applicable|| |
|Enable Behavior Monitoring and |
update pattern via
|Enable Web Reputation Service and |
update pattern via
|Worry-Free Business Security||Standard (10.0)|
|Advanced (10.0)||Update pattern via |
|Hybrid Cloud Security||Deep Security||12.0||Update pattern via |
|Email and Gateway Security||Deep Discovery Email Inspector||3.5||Update pattern via |
|Update pattern via |
|InterScan Messaging Security||9.1|
|InterScan Web Security||6.5|
|ScanMail for Microsoft Exchange||14.0|
|Network Security||Deep Discovery Inspector||5.5|| |
- Make sure to always use the latest pattern available to detect the old and new malware variants.
- Refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You can also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, contact Trend Micro Technical Support.
- Download and apply the Microsoft update / security patch: