NEW Phishing Attack hits

Back to blog

Microsoft Equation Editor—Attackers continue to exploit CVE-2017-1182…

Vinay Pidathala | Jun 30, 2020

Different devices showing different microsoft software with the caption CVE-2017-11882

Share this article

Menlo labs has observed limited attacks, where attackers are continuing to exploit CVE-2017-11882, an old Microsoft exploit with a patch that was issued more than two years ago. As a matter of fact, an FBI report published on May 12 2020, listed it as one of the top 10 vulnerabilities routinely getting exploited. We are still analyzing some details of the malware involved in the three attacks and will post it in part 2 of this series. The following are some noteworthy features in all the attacks we identified.

  • All of the weaponized payloads were hosted on well-known cloud security storage platforms -me, and onedrive
  • We don’t believe all the attacks were part of the same campaign as there is no infrastructure overlap and each attack leverages different malware
  • Different malware droppers were used in the attacks for post-exploitation exfiltration and persistence
  • The attacks we saw targeted
    • Hong Kong
    • North America
  • The following industry verticals were targeted
    • Real Estate
    • Entertainment
    • Banking
    • In all the attacks we observed, the exploit remained the same, but different Remote Access Trojans were delivered

Microsoft Equation Editor Background

  • What is Equation Editor?
    • Equation Editor is a feature in Microsoft Office that lets the user embed a mathematical equation or a formula inside any office document.
  • What is CVE-2017-11882?
    • CVE-2017-11882 is a Microsoft Office exploit that has been written about extensively. In a nutshell, the exploit takes advantage of a stack buffer overflow vulnerability in the Microsoft Equation Editor. Due to the manner in which the Equation Editor executable was compiled and linked, it was not using the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features
    • This exploit was initially used by APT groups, but was soon incorporated by crimeware groups for widespread use. In January 2018, Microsoft patched all versions of Microsoft Office for this vulnerability. This gave rise to two newer versions of exploits targeting the Equation Editor
      • CVE-2018-0802—Targets the equation editor, but only works on the versions that were patched for CVE-2017-11882
      • CVE-2018-0798—Targets the equation editor, but works on all versions

CVE-2017-1182 Technical Analysis

Attack 1

The first attack we observed was served from A subdomain under was used to serve an RTF file. If the user opens the Word document, CVE-2017-11882 is triggered and an HTTP request to a site is made. The site redirects to Femto uploader, which ironically, has stopped anonymous uploads because of the excessive abuse by attackers hosting their malicious payloads (see screenshot below)

Equation Editor Blog_Fig1

Once the executable hosted at femto is downloaded and executed on the endpoint, there is another HTTP request to, from where, data is downloaded.

The downloaded data goes through some character replacements, see screenshot below and eventually the NetWire RAT gets downloaded.

Equation Editor Blog_Fig2

Netwire is a remote access trojan that has been around for a while. The trojan was primarily used to steal credential and payment card data.

Equation Editor Blog_Fig3

Attack 2

The second attack we observed was hosted on which looks like a popular file-sharing website. The file hosted on this website was a malicious Microsoft excel, with the name Petratex – PO_RFQ.xlsx. Once the Microsoft excel spreadsheet is opened, an HTTP request is made to download the Agent Tesla malware. Agent Tesla is a well-known malware and has been well documented. It is a fully functioning RAT (Remote Access Trojan) that is capable of stealing credentials, taking screenshots, downloading additional files.

Equation Editor Blog_Fig4

Attack 3

The third attack we noticed used the lure of Authorization as the filename.  This file was hosted on the one drive. Opening the excel file resulted in a binary downloaded from “”, as is shown in the screenshot below.

Equation Editor Blog_Fig5

The executable downloaded is the Houdini or H-Worm RAT. The following functionalities are built into the RAT.




Executes a file specified by the C2


Overwrites the installed malware with an updated version and executes it


Deletes all the reg keys created and the file


POST request to download file from C2


GET request to download file from C2


Upload a file specified by the C2, to the C2. The POST request is sent to the URI /is-rlartg POST /is-rlsartg{*}<file_name>


Sleep for a specified period of time

Menlo Security has a more detailed write up about this RAT


The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software. Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever-changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.

See how Menlo Security’s cloud-based Malware Protection eliminates all advanced cyber threats on the Internet by isolating all web traffic in our secure browsers.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, please complete the form.