Microsoft’s security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.
Microsoft said the spam wave appears to target European users, as the emails are sent in various European languages.
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload,” the Microsoft Security Intelligence team said.
The final payload is a backdoor trojan, Microsoft said. Fortunately, the trojan’s command and control server appears to have gone down by Friday, when Microsoft issued its security alert.
However, there is always the danger of future campaigns that may exploit the same tactic to spread a new version of the backdoor trojan that connects to a working server, allowing crooks direct access to infected computers.
The good news is that users can be completely safe from this spam campaign. The initial infection vector relies on an old Office vulnerability that Microsoft patched back in November 2017.
Users who applied the November 2017 Patch Tuesday security updates should be safe.
The vulnerability is tracked as CVE-2017-11882. This is a codename for a vulnerability in an older version of the Equation Editor component that ships with Office installs, and used for compatibility purposes in addition to Microsoft’s newer Equation Editor module.
Back in 2017, security researchers from Embedi discovered a bug in this older component that allowed threat actors to execute code on users’ device without any user interaction whenever a user would open a weaponized Office file that contained a special exploit.
Because Microsoft appeared to have lost the source code for this old component, and after the discovery of a second Equation Editor bug in 2018, Microsoft decided to remove the older Equation Editor component altogether from the Office pack in January 2018.
However, it is known that many users and companies often fail or forget to install security updates in a timely manner.
CVE-2017-11882, ONE OF TODAY’S MOST POPULAR VULNERABILITIES