Microsoft has warned European Office users of an active email spam campaign that distributes RTF files carrying the 2017-11882 exploit — malware that allows attackers to automatically run malicious code without requiring user interaction.
The company says the 2017-11882 vulnerability was fixed in 2017, but that “to this day, we still observe the exploit in attacks.”
In an alert issued on Friday, Microsoft says it has seen increased activity in the past few weeks and recommends that users apply security updates. The campaign uses emails in European languages, it adds.
The RTF file downloads and runs multiple scripts — i.e., VBScript, PowerShell, PhP — to download the payload. That payload “then tries to connect to a malicious domain that’s currently down.”
The payload is Trojan:MSIL/Cretasker, as detected by Windows Defender ATP, Microsoft says.
Koddos reports that the vulnerability is “a code name for an older version of the Equation Editor that Microsoft needs to keep around for compatibility purposes.”
Microsoft has a newer version, but Koddos observes that older software is “more prone to attacks and cannot be easily changed without severely hurting backward compatibility.”
According to Microsoft, "other mitigations, like attack surface reduction rule, also block the exploit."