NEWS:
Menlo Security announces strategic partnership with Google
Icon Rounded Closed - BRIX Templates

Microsoft Equation Editor—Attackers continue to exploit CVE-2017-1182…

Vinay Pidathala
|
June 28, 2020

Menlo labs has observed limited attacks, where attackers are continuing to exploit CVE-2017-11882, an old Microsoft exploit with a patch that was issued more than two years ago. As a matter of fact, an FBI report published on May 12 2020, listed it as one of the top 10 vulnerabilities routinely getting exploited. We are still analyzing some details of the malware involved in the three attacks and will post it in part 2 of this series. The following are some noteworthy features in all the attacks we identified.

  • All of the weaponized payloads were hosted on well-known cloud security storage platforms -me, dropsend.com and onedrive
  • We don’t believe all the attacks were part of the same campaign as there is no infrastructure overlap and each attack leverages different malware
  • Different malware droppers were used in the attacks for post-exploitation exfiltration and persistence

The attacks we saw targeted:

  • Hong Kong
  • North America

The following industry verticals were targeted:

  • Real Estate
  • Entertainment
  • Banking

In all the attacks we observed, the exploit remained the same, but different Remote Access Trojans were delivered.

Microsoft Equation Editor Background

What is Equation Editor?

Equation Editor is a feature in Microsoft Office that lets the user embed a mathematical equation or a formula inside any office document.

What is CVE-2017-11882?

CVE-2017-11882 is a Microsoft Office exploit that has been written about extensively. In a nutshell, the exploit takes advantage of a stack buffer overflow vulnerability in the Microsoft Equation Editor. Due to the manner in which the Equation Editor executable was compiled and linked, it was not using the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features.

This exploit was initially used by APT groups, but was soon incorporated by crimeware groups for widespread use. In January 2018, Microsoft patched all versions of Microsoft Office for this vulnerability. This gave rise to two newer versions of exploits targeting the Equation Editor.

  • CVE-2018-0802—Targets the equation editor, but only works on the versions that were patched for CVE-2017-11882
  • CVE-2018-0798—Targets the equation editor, but works on all versions

CVE-2017-1182 Technical Analysis

Attack 1

The first attack we observed was served from loginto.me. A subdomain under loginto.me was used to serve an RTF file. If the user opens the Word document, CVE-2017-11882 is triggered and an HTTP request to a bit.ly site is made. The bit.ly site redirects to Femto uploader, which ironically, has stopped anonymous uploads because of the excessive abuse by attackers hosting their malicious payloads (see screenshot below).

screenshot of femto with uploads disabled

Once the executable hosted at femto is downloaded and executed on the endpoint, there is another HTTP request to paste.ee, from where data is downloaded.

The downloaded data goes through some character replacements, see screenshot below and eventually the NetWire RAT gets downloaded

screenshot of host and connection

Netwire is a remote access trojan that has been around for a while. The trojan was primarily used to steal credential and payment card data.

screenshot of code

Attack 2

The second attack we observed was hosted on dropsend.com which looks like a popular file-sharing website. The file hosted on this website was a malicious Microsoft excel, with the name Petratex - PO_RFQ.xlsx. Once the Microsoft excel spreadsheet is opened, an HTTP request is made to download the Agent Tesla malware. Agent Tesla is a well-known malware and has been well documented. It is a fully functioning RAT (Remote Access Trojan) that is capable of stealing credentials, taking screenshots, downloading additional files.

screenshot of connection information

Attack 3

The third attack we noticed used the lure of Authorization as the filename. This file was hosted on the one drive. Opening the excel file resulted in a binary downloaded from “centraldeplaya.com”, as is shown in the screenshot below.

screenshot of connection information

The executable downloaded is the Houdini or H-Worm RAT. The following functionalities are built into the RAT.

Command Functionality
execute

Executes a file specified by the C2

update

Overwrites the installed malware with an updated version and executes it

uninstall

Deletes all the reg keys created and the file

Send

POST request to download file from C2

site-send

GET request to download file from C2

recv

Upload a file specified by the C2, to the C2. The POST request is sent to the URI /is-rlartg POST /is-rlsartg{*}<file_name>

 Sleep

Sleep for a specified period of time

Menlo Security has a more detailed write up about this RAT.

Conclusion

The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software. Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever-changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.

See how Menlo Security's cloud-based Malware Protection eliminates all advanced cyber threats on the Internet by isolating all web traffic in our secure browsers.

linkedin logotwitter/x logofacebook logoSocial share icon via eMail