PREVENTED! An active malware campaign using emails distributes RTF files that carry the CVE-2017-11882 exploit. Patch at your own pace

June 11, 2019


Minerva Labs

Microsoft Security Intelligence issued a warning on Friday, June 8th, that they had detected an active campaign that contains RTF attachments utilizing a well-known vulnerability in Microsoft Office and Wordpad software identified as CVE-2017-11882. The vulnerability affects the EQNEDT32.EXE that is responsible for insertion and editing of equations as an OLE objects into documents. The component fails to properly handle objects in the memory, which is exploited by the attacker to execute malicious code in the context of the logged-in user. This exploit allows the attacker to infect the endpoint simply by opening the attached file.

The attacker can gain full control on the target system by chaining the vulnerability with Windows Kernel privilege escalation exploits like CVE-2017-11847 or CVE-2018-0802.

Although this vulnerability was patched back in 2017 by Microsoft, this warning displays the continuous effort to exploit unpatched endpoints, utilizing the IT industry failure to apply software updates and upgrade their software.

A few of our customers has already reported about multiple prevented attempts to exploit this vulnerability.

Minerva's Malicious Document Prevention module prevents such attacks. All of Minerva customers are fully protected from this attack as from many other Office vulnerabilities – regardless their Office Suite version and without the need to update Minerva software. This module is independent of specific document hashes, as opposed to their report by Office 365 ATP in this case, and prevents the attack in the earliest possible stage, before exploitation takes place so the payload is not even downloaded to the endpoint (before any damage has been done). Minerva empowers enterprises to take full advantage of productivity suites such as Microsoft Office without being concerned about disruption to operations and employees’ ability to successfully perform their daily business activity. With Minerva, being protected from such threats, the IT and Secuirty teams can patch the systems at their own pace without interfering with business activities

What to see it in action!? - schedule a demo!