- Microsoft has issued a warning on an ongoing malspam campaign that drops a backdoor trojan by abusing an old MS Office vulnerability.
- The backdoor trojan’s C&C server has been taken down since Microsoft issued a security alert.
Microsoft has issued a warning on an ongoing malspam campaign that drops a backdoor trojan by abusing an old MS Office vulnerability. This campaign targets European users with emails written in various European languages.
How does this campaign work?
- The spam emails include malicious RTF documents that when opened, downloads a backdoor trojan without any user interaction.
- The RTF documents download the malicious payload by exploiting an already patched Office vulnerability and running multiple scripts of different types (VBScript, PowerShell, PHP, among others).
“An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction,” Microsoft Security Intelligence tweeted.
What is the Microsoft Office vulnerability?
The Microsoft Office vulnerability (tracked as CVE-2017-11882) has been patched in November 2017, however, this vulnerability has been exploited ever since. This vulnerability has also been ranked as the third-most exploited vulnerability of 2018.
This vulnerability allows attackers to execute code on users' device without any user interaction.
The good news
However, the good news is that the backdoor trojan’s C&C server has been taken down since Microsoft issued a security alert. However, in order to avoid future exploit, it is wise to patch the vulnerability by updating the November 2017 Patch Tuesday security updates.