9.3
CVSSv2

CVE-2017-11882

Published: 15/11/2017 Updated: 02/05/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 991
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an malicious user to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftOffice2007, 2010, 2013, 2016

Exploits

Source: githubcom/embedi/CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblo ...

Mailing Lists

This Metasploit module exploits a flaw in how the Equation Editor handles OLE objects in memory to execute arbitrary code using RTF files without interaction ...

Metasploit Modules

Microsoft Office CVE-2017-11882

Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.

msf > use exploit/windows/fileformat/office_ms17_11882
      msf exploit(office_ms17_11882) > show targets
            ...targets...
      msf exploit(office_ms17_11882) > set TARGET <target-id>
      msf exploit(office_ms17_11882) > show options
            ...show and set options...
      msf exploit(office_ms17_11882) > exploit

Github Repositories

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

ABC CVE-2017-11882 Invoke-Mimikatz googl/urb92R Calcexe googl/qTqqE4

CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-manually-patch-the

CVE-2017-11882-metasploit This is a Metasploit module which exploits CVE-2017-11882 using the POC below: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Installation Copy the cve_2017_11882rb to /usr/share/metasploit-framework/modules/exploits/windows/local/ Copy the cve-2017-11882rtf to /usr/share/metasploit-framework/data/exploits/ Th

exploits some exploits This repo collects some exploits, going [1] MS17-010 ~ 2017810 Microsoft Windows Windows 7/81/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) This directory contains two scripts smb_ms17_010py &amp; smb_ms17_010_batchpy the former checks a single ip whether vulnerable to MS17-010, and the latter is a ba

CVE-2017-11882 文章链接 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882) wwwcnblogscom/Hi-blog/p/7878054html

CVE-2017-11882 Exploit CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns For remote code execution,this exploit just jmp to code I cannot find a reference for the object structureso I cannot change the file length for arbitrary lengt

Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 March 25, 2019 Shannon and Iman Outline Background Vulnerability How does it work? Uses Violations How was it fixed? (solutions) What the patch does Example Background The code for Equation Editor was compiled in 2000 and was used in subsequent versions of Word It is run as a separate process and an attacker can

CVE-2017-11882 Empire Port of CVE-2017-11882 Code shifted to another parent repository Redirect?

CVE-2017-11882 原脚本来自于 githubcom/embedi/CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru

cve-2017-11882

Vulnerability-analysis 漏洞分析 MSCOMCTLOCX RCE 漏洞 - CVE-2012-0158 CVE-2017-11882 文档型漏洞

cve-2017-11882

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CVE-2017-11882 A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user 2017-11882_Generator This is a PoC re-edited, from the original one made by Embedi, to generate single file rt

IDB_Share CVE-2017-11882 analyse notebook 发现了一个利用姿势比较清奇的11882格式溢出文档,释放的payload也很有意思,大量硬编码API地址和加解密的字符串,使静态分析难度较大,公开部分IDB,以飨读者 shellcodeidb 适用于ida pro 68,其他两个idb适用于ida pro 695

EquationEditorShellCodeDecoder Tool to decode the encoded Shellcode of this type found in office documents See the Blogpost to see how to use this pcsxcetrasupport3wordpresscom/2019/05/22/a-deeper-look-at-equation-editor-cve-2017-11882-with-encoded-shellcode/ I also have decoding notes for this sample in the 7Zip file The password is the standard infected just incas

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

CVE-2018-11882

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

Introduction rtfraptor is a simple tool to aid analysis of malicious RTF files by extracting OLEv1 objects It was inspired by a blog post by Denis O'Brien (link below) It works by running Word and intercepting calls to OLEv1 functions This allows raw OLE objects to be dumped from memory for further analysis The tool is designed to be run on Windows This is useful f

CVE-2018-0802 CVE-2018-08022: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2018-0802 MITRE CVE-2018-0802: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2018-0802 0patch exploitation and patch video: wwwyoutubecom/watch?v=XU-U4K270Z4 Qihoo 360 blog post wwwfreebufcom/vuls/159789html Checkpoint blog (brute-force ASLR by

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25+Gb Install Guide: git clone githubcom/shr3ddersec/Shr3dKitgit pip install -r requirementstxt bash shr3dkitsh Change Log Fixed: macro_pack, LaZagne Code: Added all requirements to s

CSIRT *Please contribute through pull requests- ;) Another great list: awesome-incident-response Books Nice list here by CertBR Practical Cryptography for Developers, github The Book of Secret Knowledge Links FIRST CertBR - useful links 7º Fórum Brasileiro de CSIRTs SANS Pen-Testing Resources: Downloads Some list of security projects APT &amp; CyberCrim

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 webSettingsxml 获取 NTLM SSP hash macro 工具 生成、混淆 Shellntel/luckystrike - A PowerShell base

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

区块链生态被黑统计 参考来源 EOS 假充值(hard_fail 状态攻击)红色预警细节披露与修复方案 paperseebugorg/853/ 渗透测试不同阶段的工具收集整理 侦察阶段 主动情报收集 EyeWitness:可用于网站截图,以及提供一些服务器头信息,并在可能的情况下识别默认凭据。githubcom/ChrisTruncer/

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

amliaW4's Blog --- About --- Links Post Time Article Name Type 2019-01-27 CVE-2017-8570 office 2019-01-01 2018年总结 总结 2018-12-23 CVE-2013-3906 分析 office 2018-12-17 CVE-2012-0158 分析 office 2018-12-14 CVE-2017-11826 分析 office 2018-12-05 CVE-2017-11882 分析 office 2018-11-28 IE创建流程 IE 2018-11-28 CVE-2010-0248-Poc分析 IE Po

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25G Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligenc

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Security Notes Palo Alto Networks has world-renowned experts supporting threat research efforts across the company The completely in-house team focuses on quickly identifying, analyzing, and creating protections for attacks as they emerge—building and enhancing the automated prevention enforced through our Security Operating Platform The team is comprised of: Threat e

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents AMPL ActionScript Arduino Assembly AutoHotkey Awk Batchfile Brainfuck C C# C++ CSS Clojure CoffeeScript Common Lisp Crystal Delphi Emacs Lisp Erlang Forth Game Maker Language Go Groff HCL HTML Haskell Haxe Inno Setup Java JavaScript Jupyter Notebook Kotlin Lua Makefile Mercury NSIS OCaml Objecti

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

PoC-and-Exp-of-Vulnerabilities 漏洞验证和利用代码收集 免责声明:本项目中的代码为互联网收集或自行编写,请勿用于非法用途,产生的法律责任和本人无关。针对Windows的PoC很多会被杀毒软件拦截,此为正常现象,请自行斟酌是否下载,如果有带有后门的exp,请通过提交issue联系我。 Windows

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

PoC-and-Exp-of-Vulnerabilities 漏洞验证和利用代码收集 免责声明:本项目中的代码为互联网收集或自行编写,请勿用于非法用途,产生的法律责任和本人无关。针对Windows的PoC很多会被杀毒软件拦截,此为正常现象,请自行斟酌是否下载,如果有带有后门的exp,请通过提交issue联系我。 Windows

office-exploit-case-study Most samples are malware used in the real world,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding paper if mentionedExploits before 2012 not includedFeel free to open issues if you have any questions What did Microsoft do to make office more secure? 1Dat

office-exploit-case-study Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machineTake responsibility yourself if you use them for illegal purposesSamples should match hash in corresponding writeup if mentioned If you are looking for more poc(reported by researchers and never used in the real world),you ca

My Infosec Awesome My curated list of awesome links, resources and tools Articles Cryptography Digital Forensics and Incident Response Exploitation Hardening Malware Analysis Mobile Security Post Exploitation Privacy Reverse Engineering Tutorials Web Application Security Tools Adversary Emulation AWS Security Binary Analysis Cryptography Data Exfiltration Data Sets Digit

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

My Infosec Awesome My curated list of awesome links, resources and tools Articles Cryptography Digital Forensics and Incident Response Exploitation Hardening Malware Analysis Mobile Security Post Exploitation Privacy Reverse Engineering Tutorials Web Application Security Tools Adversary Emulation AWS Security Binary Analysis Cryptography Data Exfiltration Data Sets Digit

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Microsoft Warns of Email Attacks Executing Code Using an Old Bug
Threatpost • Tara Seals • 10 Jun 2019

Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, CVE-2017-11882.
The exploit allows attackers to automatically run malicious code without requiring user interaction.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,” Microsoft Security Intelligence tweeted on Friday. “Notably, we saw increased activity in the pa...

IT threat evolution Q1 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 23 May 2019

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q1 2019 is remembered mainly for mobile financial threats.
First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartpho...

Spam and phishing in Q1 2019
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 15 May 2019

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Securelist • Yury Namestnikov Félix Aime • 08 May 2019

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to st...

Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not
The Register • Gareth Corfield • 16 Apr 2019

Over two-thirds of attacks Russian biz spied targeted venerable Microsoft suite

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office.
"In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.
The outfit also reported a switch away from ne...

Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change
Threatpost • Lindsey O'Donnell • 16 Apr 2019

The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change.
While the keylogger has been in continuous development since 2013, in December a thread on a hacking site noted an ownership change, after which posts on hacking forums began to appear, selling new versions of the kit. “HawkEye Reborn v9” sports new anti-detection features and other changes, researchers said.
“Recent changes in both the ownership and...

Fake or Fake: Keeping up with OceanLotus decoys
welivesecurity • Romain Dumont • 20 Mar 2019

This article will first describe how the OceanLotus group (also known as APT32 and APT-C-00) recently used one of the publicly available exploits for CVE-2017-11882, a memory corruption vulnerability present in Microsoft Office software, and how OceanLotus malware achieves persistence on compromised systems without leaving any traces. Then, the article describes how, since the beginning of 2019, the group has been leveraging self-extracting archives to run code.
Following OceanLotus’ act...

ThreatList: Phishing Attacks Doubled in 2018
Threatpost • Lindsey O'Donnell • 12 Mar 2019

Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks – such as scams tied to current events – as well as other stealthy, fresher tactics.
Researchers with Kaspersky Lab said in a Tuesday report that during the course of 2018, they detected phishing redirection attempts 482.5 million times – up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, r...

Spam and phishing in 2018
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 12 Mar 2019

In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.
During this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notificati...

RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
Threatpost • Tara Seals • 05 Mar 2019

SAN FRANCISCO – A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.
The bug exists in the OLE file format and the way it’s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.
Microsoft told the researchers that patching the problem is...

GreyEnergy’s overlap with Zebrocy
Securelist • Kaspersky Lab ICS CERT • 24 Jan 2019

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap bet...

Cobalt Group Pushes Revamped ThreadKit Malware
Threatpost • Tom Spring • 11 Dec 2018

Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.
In a report issued by security firm Fidelis on Tuesday (PDF), researchers...

IT threat evolution Q3 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Oleg Kupreev Evgeny Lopatin Alexander Liskin • 12 Nov 2018

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
Perhaps the biggest news of the reporting period was the Trojan-Banker.AndroidOS.Asacub epidemic. It peaked in September when more than 250,000 unique users were attacked – and that only includes statistics for those with Kaspersky Lab’s mobile products installed on their devices.

Number of...

Spam and phishing in Q3 2018
Securelist • Maria Vergelis Nadezhda Demidova Tatyana Shcherbakova • 06 Nov 2018

We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.
In Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam we have already reported at the beginning of the year. A ransom (in bitcoins) is demanded  in exchange for not disclosing the “damaging evidence” concerning the recipients....

Spam and phishing in Q2 2018
Securelist • Maria Vergelis Nadezhda Demidova Tatyana Shcherbakova • 14 Aug 2018

In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.
As required by the regulation, companies notified email recipients that they were switching to a new GDPR-comp...

IT threat evolution Q2 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 06 Aug 2018

According to KSN:
In Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.

Among all the threats detected in Q2 2018, the lion’s share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.
Second place was taken by Trojan-Dropper threats (13%),...

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week
The Register • Iain Thomson in San Francisco • 28 Jul 2018

The good, the bad, and the ugly from infosec

Roundup There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.
Useless action please! While Wyden might know what he's talking about his colleagues seem set on useless posturing.
On Tuesday Senators Pat Toomey (R-PA) and Chris Van ...

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Fireeye Threat Research • by Swapnil Patil • 26 Jul 2018

Campaign Details
In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.
FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar ...

LuckyMouse hits national data center to organize country-level waterholing campaign
Securelist • Denis Legezo • 13 Jun 2018

In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
The operators used the...

Targeted Spy Campaign Hits Russian Service Centers
Threatpost • Tara Seals • 07 Jun 2018

A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods.
The payload is a commercial version of the Imminent Monitor tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way – which bad actors are clearly ignoring.
Imminent Monitor includes two modules for recording video from a victim’s web...

Despite Ringleader’s Arrest, Cobalt Group Still Active
Threatpost • Tara Seals • 28 May 2018

Evidence has surfaced that the Cobalt Group – the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe – is continuing to operate, despite the arrest of its accused ringleader in March.
The Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new re...

IT threat evolution Q1 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 14 May 2018

According to KSN:
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.
It wasn’t a drive-by-download case, since the success of the attack larg...

APT Trends report Q1 2018
Securelist • GReAT • 12 Apr 2018

In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to h...

Word Attachment Delivers FormBook Malware, No Macros Required
Threatpost • Tom Spring • 09 Apr 2018

A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.
Researchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.
The company, which released details of the method Monda...

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
Fireeye Threat Research • by FireEye • 16 Mar 2018

Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “L...

Word-based Malware Attack Doesn’t Use Macros
Threatpost • Tom Spring • 15 Feb 2018

Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.
The attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by Trustwave’s SpiderLabs. When opening attachments, there ar...

Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware
Threatpost • Tom Spring • 17 Jan 2018

Spam campaigns delivering Zyklon HTTP malware are attempting to exploit three relatively new Microsoft Office vulnerabilities. The attacks are targeting telecommunications, insurance and financial service firms.
According to FireEye researchers who identified the campaigns, attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future distributed denial of service attacks.
Researchers said attacks begin with sp...

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
Fireeye Threat Research • by Swapnil Patil, Yogesh Londhe • 17 Jan 2018

Introduction
FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.
Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self...

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
Fireeye Threat Research • by Manish Sardiwal, Yogesh Londhe, Nalani Fraser, Nicholos Richard, Jaqueline O’Leary, Vincent Cannon • 07 Dec 2017

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.
We believe APT34 is involved in a long-term cyber espionage operation largely focused ...

Microsoft Patches 17-Year-Old Office Bug
Threatpost • Tom Spring • 15 Nov 2017

Microsoft on Tuesday patched a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor. The vulnerability (CVE-2017-11882) was patched as part of Microsoft’s November Patch Tuesday release of 53 fixes.
While Microsoft rates the vulnerability only as “Important” in severity, researchers at Embedi who found the bug, call it “extremely dangerous.”
In a report released Tuesday (PDF) by Embedi, researchers argue the vulnerability is a...

It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros
The Register • Shaun Nichols in San Francisco • 15 Nov 2017

Not enough? How about a few dozen PDF remote code holes?

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.
The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.
Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and ...

Microsoft Patches 20 Critical Vulnerabilities
Threatpost • Tom Spring • 14 Nov 2017

Microsoft tackled 53 vulnerabilities with today’s Patch Tuesday bulletin. Remote code execution bugs dominated this month’s patches, representing 25 fixes. In total, 20 of Microsoft’s security fixes were rated critical.
Notable are four vulnerabilities with public exploits identified by Microsoft as CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700. But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being used in active campaigns.<...