Microsoft Office, one of the oldest productivity software used in enterprises as well as by individuals, has been on target of cybercriminals for several decades. But, recent reports suggest that hackers are now prioritizing this over other attack vectors, such as PDFs.
Microsoft Office on Target
The recent 2020 Cyber Threat Report by SonicWall provides several insights about the recent cyber attack trends, and according to that, Microsoft Office appears to be witnessing a dramatic change in the attacker’s priorities.
In the first half of 2019, the use of PDFs (36,488 cases) outpaced that of Office documents (25,461 cases). But in H1 2020, attackers preferred Microsoft Office - 22.4% of all malicious file types - as a delivery mechanism for malware over PDFs with 10.7% share.
According to the report, the most exploited vulnerabilities are CVE-2017-11882 and CVE-2018-0802, found in the Equation Editor, which is available in all versions of Microsoft Word since Office 2007.
Within the past few days, ZLoader operators were seen making enhancements to the MS Excel document delivery mechanism, including new techniques to prevent detection by the signature-based anti-malware engines, and hindering the debugging procedures and analysis in the sandbox.
The Equation Editor Vulnerability
The CVE-2017-11882 is a memory-corruption vulnerability in Equation Editor, that has been actively used by several hackers in the past few months.
In May 2020, a new cyber-espionage framework named Ramsay was detected, which was tailored for the collection and exfiltration of sensitive documents by exploiting CVE-2017-0199 and CVE-2017-11882.
In April 2020, some threat actors were seen targeting users with a new spearphishing email designed to spread the LokiBot Trojan, sent using the WHO trademark as a lure. Hackers exploited the CVE-2017-11882 vulnerability on the targeted devices.
The report suggests that the number of malicious files (both PDFs and Office files) has dipped a bit in the second quarter of 2020, as compared to the first quarter. But news about ZLoader preparators making enhancements in Office-related delivery mechanisms suggests that they are not planning to stop using these attack vectors anytime soon.