In their previous spear-phishing campaigns, the DLL is a component of the penetration testing tool Cobalt Strike, which they abuse to hijack the infected system. The final payload is a dynamic-link library (DLL) file. The Cobalt hacking group also weaponized this security flaw in one of their campaigns in late November, sending out a similarly constructed RTF file.
The attack chain involves the use of a command that retrieves the payloads from a remote Server Message Block (SMB) open directory. Trend Micro’s initial and ongoing analysis also found that a spammer group is also actively exploiting CVE-2017-11882 to infect systems with information stealers Pony/ FAREIT and FormBook. How are attackers exploiting CVE-2017-11882? Loki can also harvest data from “Sticky”-related (i.e., Sticky Notes) and online Poker game applications. The Loki family can steal account information from File Transfer Protocol (FTP) clients, as well as credentials stored on various web browsers and cryptocurrency wallets.
A proof-of-concept exploit was released publicly, but this has been fixed by Microsoft’s November Patch Tuesday.
The flaw resides within Equation Editor (EQNEDT32.EXE), a component in Microsoft Office that inserts or edits Object Linking and Embedding (OLE) objects in documents. When exploited successfully, it can let attackers execute remote code on a vulnerable machine-even without user interaction-after a malicious document is opened. What does CVE-2017-11882 entail?ĬVE-2017-11882 is a 17-year old memory corruption issue in Microsoft Office (including Office 360). The payload is dropped via an HTML Application (HTA) that invokes PowerShell, which then retrieves the information stealer.
Trend Micro uncovered a malicious Rich Text Format (RTF) file exploiting CVE-2017-11882 to deliver the spyware Loki (TSPY_LOKI).