Although software vendors regularly release patches to prevent exploiting vulnerabilities, customers often forget to install them, and cybercriminals are well aware of them. Menlo Labs recently observed a series of attacks in which cybercriminals continue to exploit an old vulnerability, tracked as CVE-2017-11882, in Microsoft Office despite the fact that it was patched more than two years ago. These attacks targeted companies in the real estate, entertainment and banking sectors in Hong Kong and North America. The vulnerability used in the attacks exists in the Microsoft Equation Editor in Office, which allows users to embed mathematical equations or formulas into any Office document. According to a recent FBI report, CVE-2017-11882 is one of the top 10 vulnerabilities that cybercriminals regularly exploit.
Take advantage of old vulnerabilities
The first attack observed by Menlo Labs used an RTF file to activate CVE-2017-1182 in Microsoft Office. If a user opens the Word document found on the loginto.me site, the vulnerability is triggered and an HTTP request is made to a bit.ly site. The bit.ly site then redirects to the Femto Loader which downloads an executable. Once the executable is opened on an endpoint, another HTTP request to paste.ee is made from which the attacker's payload is downloaded. The payload contains the NetWire Remote Access Trojan (RAT) which is used to steal credentials and payment card data. The second Menlo Labs attack seen in the wild was hosted on dropsend.com, which looks like a popular file-sharing website. This website has been used to host a malicious Microsoft Excel file that makes an HTTP request to download Agent Tesla malware when opened. Tesla Agent is a RAT capable of stealing credentials, taking screenshots, and uploading additional files. The latest attack that exploited CVE-2017-1182 used the authorization lure as the file name and the file itself was hosted on OneDrive. When a user opens the malicious Excel file, they download and run the file containing the Houdini or H-Worm RAT. In a blog post, director of security research at Menlo Labs, Vinay Pidathala provided additional information on the company's discovery, saying: "The fact that CVE-2017-11882 continues to be used attests not only to the reliability of the exploit, but also the fact that some companies are still using outdated software. It is essential to patch applications and operating systems to protect them from security issues, but the shortage of cybersecurity professionals combined with the ever-changing business environment makes it more difficult for companies to establish a proper patch management process. "