Posted on June 10, 2019 at 12:01 PM
Microsoft has issued a notice that European users of its Office programs are being targeted with spam campaign that looks to install trojans on devices that are running non-patched versions of the productivity suite.
Microsoft warns customers of spam attack
Microsoft issued the warning this Friday, the 7th of June, that an ongoing series of spam emails were being sent to Europeans in the hope that the malicious threat actors would be able to gain access to the victims’ computers. The spam emails contained an RTF based attachment that, when opened, ran a series of scripts that would allow the hackers to gain access to an infected system.
Microsoft further went on to state that it is predominantly European users that are being targetted with the languages that appear to be in the attachments being from the mainland of Europe. The various scripts run are VBScript, Powershell, and PHP among many others that download a payload that finished with a trojan that can directly control the user’s computer.
The good news, according to Microsoft, is that the command and control servers used in this attack seemed to been shut down by Friday when the security alert was sent out. The problem, however, is that it could very well be used again and the security alert particularly makes sure that people are aware now so that any future emails are protected against.
Future campaigns pose a direct threat to unpatched Office users
Microsoft’s insistence that users be aware of the threat now so that any future attacks might be foiled is a smart move. Hackers often use the same tricks multiple times and in this case, it could pose a direct threat to many people.
The vulnerability is given the usual prosaic name by Microsoft, CVE-2017-11882, and was patched out in November of 2017. Users who had applied the patch should be safe from this particular vector of attack, but there is always the issue of people not updating their software on time, if ever. This is why Microsoft says it is crucial to always let your software update so that these types of attacks do not gain any headway.
Equation Editor compatibility module at fault for risk
This vulnerability is a codename for an older version of the Equation Editor that Microsoft needs to keep around for compatibility purposes. There is a newer version, but as with most of Microsoft’s software, the strength of its catalog is in how well it interacts with previous versions.
This is both a blessing and as has been seen, a curse. Older software is more prone to attacks and cannot be easily changed without severely hurting backward compatibility. The initial flaw was found back in 2017 by a security research firm called Embedi. They discovered that the older, compatibility version of the Equation Editor could be used to execute code on a victim’s computer without any authorization needed by the victim. It all happened completely in the background and the user would be left without any knowledge of the attack having taken place.
While Microsoft tried to solve the problem, there was another exploit found later in 2018 and the company was forced to remove these components despite some initial outcry from businesses who were still running an older version of Microsoft Office.
Hackers were happy, however, as many know that a good bulk of users either forget to update or simply ignore any update calls seeing them as more of a nuisance than as a security measure that needs to happen in a timely manner. While many enterprises are run by competent people and these larger businesses will generally always have a staff of people who make sure that business laptops are safe, that does not stop employees from contracting the virus at home and bringing it into the workplace on a USB drive or something similar.
This is just one of the reasons that this exploit has been abused since it was announced back in 2017 – it offers an easy way for hackers to get into a system and with a little patience, they can get anywhere they want.