Full Report
AhnLab Security Intelligence Center (ASEC) publishes the information of phishing emails to AhnLab TIP monthly under the title “Trends Report on Phishing Emails.” There are various keywords/topics disguised as phishing, and this blog will cover cases where emails disguised as emails for checking purchases and order confirmations are used to distribute the XLoader info-stealer. The […]
Analysis Summary
# Vulnerability: MS Equation Editor Remote Code Execution leveraged for XLoader Distribution
## CVE Details
- CVE ID: CVE-2017-11882
- CVSS Score: N/A (Severity not explicitly provided for this CVE in the text, but it's a known critical RCE)
- CWE: CWE-787 (Out-of-bounds Write) - *Inferred based on CVE-2017-11882*
## Affected Systems
- Products: Microsoft Office / Windows (via MS Equation Editor vulnerability)
- Versions: Environments still utilizing systems vulnerable to CVE-2017-11882. (Specific versions are not listed, but the vulnerability affects older/unpatched MS Office installations utilizing the Equation Editor.)
- Configurations: Opening malicious DOCX/RTF documents that trigger the Equation Editor vulnerability via an external connection/OLE object.
## Vulnerability Description
The attack leverages the known vulnerability in the Microsoft Equation Editor (CVE-2017-11882). An attacker embeds an RTF document containing malicious exploit code within a seemingly legitimate DOCX file (disguised as a purchase confirmation). When the user opens the DOCX, the internal RTF document is triggered, exploiting the Equation Editor flaw to execute `cmd.exe`. This command then runs a VBScript file (`Client.vbe`) located in the temporary folder, which ultimately deploys the XLoader info-stealer protected by HorusProtector.
## Exploitation
- Status: Being actively exploited in phishing campaigns (Used in the wild through phishing).
- Complexity: Low (Exploitation relies on deceiving the user into opening a malicious attachment).
- Attack Vector: Network (Via email delivery of the malicious document).
## Impact
- Confidentiality: High (Deploys XLoader info-stealer)
- Integrity: High (Arbitrary code execution allowing system modification)
- Availability: Medium (Potential for secondary impact from deployed malware)
## Remediation
### Patches
- **Microsoft Security Bulletin MS17-098:** Patching systems against CVE-2017-11882 is the primary defense. Users must ensure all versions of Microsoft Office affected by this vulnerability are fully updated.
### Workarounds
1. **Disable or restrict OLE/RTF processing:** Limit or prevent the automatic handling of embedded objects, especially those leveraging older components like the Equation Editor, within documents received from untrusted sources.
2. **Application Control:** Utilize application whitelist policies to prevent `cscript.exe` from running VBScript files from temporary directories, or to block the execution flow initiated by Microsoft Office components utilizing external commands (`cmd.exe`).
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of `Client.vbe` in the temporary folder (`%tmp%`).
- Execution chain: `WINWORD.EXE` spawning `cmd.exe /C cscript %tmp%\Client.vbe`.
- Creation of registry keys under `HKCU\SOFTWARE\` followed by a random 15-character name, containing specific subkeys like `donn` and a key containing the loader/PowerShell script.
- **Detection Methods and Tools:**
- Endpoint Detection and Response (EDR) systems should flag anomalous process creation chains originating from Office applications executing command-line interpreters or script engines.
- Signature detection for the specific `Client.vbe` file or the known XLoader/HorusProtector payloads.
## References
- [ASEC Trends Report on Phishing Emails (Original analysis source - defanged link placeholder)]
- [Official Microsoft Security Advisory on CVE-2017-11882 (Defanged link placeholder)]