Cybercriminals actively exploit recently patched Office leak with politically themed malcious RTF files

Posted 23 November 2017 23:56 CET by Jan Willem Aldershoff

Microsoft Office users are targeted in a new attack using malcious RTF documents that abuse a vulnerability in the office suite that was patched last month. The vulnerability was already actively exploited before Microsoft patched it, but the attacks are ongoing, security vendor Fortinet warns.

The documents are attached to emails and are politically themed in order to convince the user to open it. When they are opened with a vulnerable Office version, a backdoor is installed. This backdoor sends all kinds of data about the system such as the computername, MAC address, local IP address, Windows version and language, to the cybercriminals. Based on the computername and MAC address an unique ID is generated to identity victims. To avoid detection by antivirus software, the backdoor server is downloaded in several encrypted chunks.

Once the backdoor is running, it allows the criminals to disable processes, to move, delete, search for, download or upload files and to start applications.

Considering the political themed documents, it could very well be that specific organisations are targeted. Fortinet states about this , “based on this campaign’s use of social engineering with a political theme, we believe that this is not just another cybercrime malware that attacks whoever is hit by it on the Internet. However, as of this point, we have no data on what specific institutions are being targeted. ”

Fortinet also fears that the same vulnerability will be abused in more attacks, as the company writes, “it’s safe to assume that this malware is just one of many campaigns that will be capitalizing on this new attack vector.”

Earlier this week also Microsoft stated it has noticed an increase in attacks on Office.

Related content

Comment on this news item