In a recent sophisticated phishing campaign, cybercriminals have been exploiting a longstanding vulnerability in Microsoft Office’s Equation Editor to distribute the XLoader information-stealing malware. This campaign underscores the persistent threat posed by unpatched software vulnerabilities, even those identified and patched years ago.
Exploitation of CVE-2017-11882
The attackers are leveraging CVE-2017-11882, a memory corruption vulnerability in Microsoft’s Equation Editor component. This flaw, which allows for remote code execution, was initially patched by Microsoft in November 2017. However, many systems remain unpatched, providing an avenue for exploitation.
Phishing Tactics and Attack Chain
The campaign begins with phishing emails masquerading as purchase or order confirmations, enticing recipients to open attached DOCX files purportedly containing transaction details. These DOCX files, in reality, house malicious RTF documents that exploit the Equation Editor vulnerability upon opening.
Once the RTF file is executed, it initiates a sequence of actions:
1. Creation of Malicious Script: The RTF file generates a Client.vbe file in a temporary directory.
2. Execution via Equation Editor Exploit: The vulnerability in the Equation Editor is exploited to execute the malicious script without the user’s knowledge.
3. Deployment of HorusProtector: The campaign utilizes HorusProtector, a commercial malware protection and distribution tool. This tool has evolved since its initial detection in 2024, now embedding the entire malware payload directly into the VBE file, increasing its size significantly.
4. Payload Execution: The Visual Basic Script employs PowerShell commands to inject the final payload, XLoader, directly into memory, thereby evading traditional detection mechanisms.
XLoader Malware Capabilities
XLoader, an evolution of the FormBook malware family, is a potent information stealer available as Malware-as-a-Service on underground forums. It targets both Windows and macOS systems and possesses a range of capabilities:
– Keystroke Logging and Screenshot Capture: Records user inputs and captures screen activity.
– Clipboard Data Theft: Extracts data from the clipboard, including sensitive information like cryptocurrency transactions.
– Credential Harvesting: Steals login credentials from web browsers, email clients, and messaging applications.
– Cryptocurrency Wallet Extraction: Targets and extracts information from cryptocurrency wallets.
– Additional Payload Deployment: Can download and execute additional malicious payloads, expanding its functionality.
Persistent Threat of Unpatched Vulnerabilities
Despite the availability of patches, the continued exploitation of CVE-2017-11882 highlights a significant issue: many organizations and individuals fail to apply critical updates promptly. This negligence leaves systems vulnerable to attacks that leverage known exploits.
Recommendations for Mitigation
To protect against such threats, it is imperative to:
– Apply Security Patches Promptly: Ensure that all Microsoft Office installations are updated with the latest security patches.
– Implement Email Filtering Solutions: Deploy advanced email filtering to detect and block malicious attachments and phishing attempts.
– Disable Unnecessary Components: If the Equation Editor is not required, consider disabling it to reduce the attack surface.
– User Education and Awareness: Train users to recognize phishing attempts and to exercise caution when handling unexpected email attachments.
As ASEC researchers caution, The fact that malwares exploiting past vulnerabilities are still being distributed implies that there are still many users in vulnerable environments. This statement underscores the critical need for vigilance and proactive security measures to defend against both new and existing cyber threats.
