This Microsoft Office exploit was patched years ago, but is still being abused by hackers

Microsoft Office vs LibreOffice
(Image credit: Shutterstock)

Although software companies routinely issue patches to prevent vulnerabilities from being exploited, customers often forget to install them and cybercriminals are well aware of this.

Menlo labs recently observed a number of attacks in which cybercriminals continue to exploit an old vulnerability, tracked as CVE-2017-11882, in Microsoft Office despite the fact that it was patched more than two years ago. These attacks targeted businesses in the real estate, entertainment and banking industries in both Hong Kong and North America.

The vulnerability used in the attacks exists in Microsoft's Equation Editor in Office that enables users to embed mathematical equations or formulas inside any office document.

According to a recent report from the FBI, CVE-2017-11882 is one of the top 10 vulnerabilities that is routinely exploited by cybercriminals.

Leveraging older vulnerabilities

The first attack observed by Menlo labs used an RTF file to trigger CVE-2017-1182 in Microsoft Office. If a user opens the Word document found on on the site loginto.me, the vulnerability is triggered an an HTTP request to a bit.ly site is made. The bit.ly site then redirects to Femto uploader which downloads an executable. Once the executable is opened on an endpoint, another HTTP request to paste.ee is made where the attacker's malicious payload is downloaded from. The payload contains the NetWire remote access trojan (RAT) which is used to steal credentials and payment card data.

The second attack Menlo labs spotted in the wild was hosted on dropsend.com which looks like a popular file sharing website. This website was used to host a malicious Microsoft Excel file that makes a HTTP request to download the Agent Tesla malware when opened. Agent Tesla is a RAT that is capable of stealing credentials, taking screenshots and downloading additional files.

The final attack exploiting CVE-2017-1182 used the lure of Authorization as its filename and the file itself was hosted on OneDrive. When a user opens the malicious Excel file, it downloads and executable containing either the Houdini or H-Worm RAT.

In a blog post, Director of Security Research at Menlo Labs, Vinay Pidathala provided further insight on the firm's discovery, saying:

“The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software. Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.”

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.