CVE-2017–11882 RTF ? Full Description
The remote object is a malformed Rich Text Format (RTF) document (named MS-word-2017pa.doc) that exploits CVE-2017-11882 and downloads an HTML Application (HTA) dropper from hxxp://gamesarena[.]gdn/hta/WqJL[.]hta. The HTA will then retrieve Loki as the final payload from hxxp://gamesarena[.]gdn/games/Pasi[.]exe.
CVE-2017–11882 RTF — Full description
Another spamming group reportedly used CVE-2017-11882 to drop Loki, generated by the same cracked builder, via Server Message Block (SMB) protocol. A separate campaign was also recently spotted delivering Loki through malicious Excel scriptlets.
Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798. Some of the analyzed samples have a creation date of November 19, 2017 (five days after a patch was released for CVE-2017-11882), however, that date appears to be incorrect because the dropped payloads had a recent compilation timestamps in 2019. The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23.
Multiple samples analyzed by Anomali researchers that we associate with CVE-2018-0798 were also mentioned in previous instances by other researchers in the security community. We believe that some of these were misattributed to CVE-2017-11882 or CVE-2018-0802 when they actually appear to be CVE-2018-0798.
CVE-2018-0798 is an RCE vulnerability, a stack buffer overflow that can be exploited by a threat actor to perform stack corruption. The vulnerable subroutine is located at the relative virtual address 0x43f6c (sub_443f6c), shown in Figure 1 below. This routine is called by EQNEDT32 when parsing Matrix type records. To note, CVE-2017-11882 and CVE-2018-0802 are vulnerabilities that take place when parsing Font type records. Part of the Matrix record object is copied to a stack buffer without proper bound checks. This allows the threat actor to overflow the stack buffer, change the stored return address, and take control of the instruction pointer. Due to the age of this binary, it was compiled and linked in the early 2000s, it does not use any modern protections against stack overflows that would have made exploitation much harder.
However,Beginning on 25 June 2019, we started observing multiple commodity campaigns (Mostly dropping AsyncRAT) using the updated RTF weaponizer with the same exploit (CVE-2018-0798). As observed previously with CVE-2017-11882 and CVE-2018-0802, the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year (December 2017 through December 2018), after which cybercrime actors began to incorporate it in their malicious activity. This indicates that the weaponizer author is now selling to a wider group of actors.
Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.
Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.
The Microsoft Equation Editor process that can be identified in the sandbox analysis is a strong indicator that the vulnerability is indeed CVE-2017-11882, which is a vulnerability in Microsoft Equation Editor ( -and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild).
In order to verify that the malicious RTF file is exploiting CVE-2017-11882, we used PyREBox, a dynamic analysis engine developed by Talos. This tool allows us to instrument the execution of a complete system and monitor different events, such as instruction execution, memory read and writes, operating system events, and also provides interactive analysis capabilities that allow us to inspect the state of the emulated system at any time. For additional information about the tool, please refer to the blog posts about its release and the malware monitoring scriptspresented at the Hack in the Box 2018 conference.For this analysis, we leveraged the shadow stack plugin, which was released together with other exploit analysis scripts (shellcode detection and stack pivoting detection) at EuskalHack Security Congress III earlier this year (slides available). This script monitors all the call and RET instructions executed under the context of a given process (in this case, the equation editor process), and maintains a shadow stack that keeps track of all the valid return addresses (those that follow every executed call instruction).The only thing we need to do is configure the plugin to monitor the equation editor process (the plugin will wait for it to be created), and open the RTF document inside the emulated guest. PyREBox will stop the execution of the system whenever a RET instruction jumps into an address that is not preceded by a call instruction. This approach allows us to detect the exploitation of stack overflow bugs that overwrite the return address stored on the stack. Once the execution is stopped, PyREBox spawns an interactive IPython shell that allows us to inspect the system and debug and/or trace the execution of the equation editor process.
PyREBox will stop the execution on the return address at 0x00411874, which belongs to the vulnerable function reported in CVE-2017-11882. In this case, the malware authors decided to leverage this vulnerability to overwrite the return address with an address contained in Equation Editor's main executable module: 0x0044fd22. If we examine this address (see Figure 13), we see that it points to another RET instruction that will pop another address from the stack and jump into it. The shadow stack plugin detects this situation again, and stops the execution on the next step of the exploit.
Those with machines still vulnerable to CVE-2017-11882 could be infected by Snake Downloader/ Keylogger malware. The Snake Downloader threat is not confined to a particular industry or sector, but rather takes advantage of busy or distracted individuals to perpetrate its malicious activity.
By exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.
The exploits that these newer builders seem to prefer include a vulnerability in the Equation Editor feature in Microsoft Office (CVE-2017-11882) which, back in November, 2017 when Microsoft first published details about it, the company indicated had not been exploited in the wild.
The attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims. Specifically, the laced RTF files were found exploiting CVE-2017-11882 to execute a PowerShell command that's responsible for deploying additional malware to conduct reconnaissance on the machine.
CVE-2017-11882 concerns a memory corruption vulnerability that could be abused to run arbitrary code The flaw, which is believed to have existed since 2000, was eventually addressed by Microsoft as part of its Patch Tuesday updates for November 2017.
Memory corruption vulnerabilities in modern software are often mitigated by exploit protections, such as DEP and ASLR. More modern memory corruption protections include features like CFG. Even in a modern, fully-patched Microsoft Office 2016 system, the Microsoft Equation Editor lacks any exploit protections, however. This lack of exploit protections allows an attacker to achieve code execution more easily than if protections were in place. For example, because eqnedt32.exe was linked without the /DYNAMICBASE flag, it will not be loaded at a randomized location by default.Because Equation Editor is an out-of-process COM server, this also means that protections specific to any Microsoft Office application may not have an effect on this vulnerability. For example, if the exploit document is an RTF document, the document will open in Microsoft Word. However, the COM server eqnedt32.exe is invoked by the Windows DCOM Server Process Launcher service, as opposed to Word itself. For this reason, EMET or Windows Defender Exploit Guard protections specific to the Microsoft Office programs themselves will not protect users. For this same reason, none of the Windows Defender Exploit Guard Attack Surface Reduction (ASR) protections will help either.Windows 7 users who have EMET configured for ASLR to be "always on" at a system-wide level are protected against known exploitation techniques for this vulnerability. Starting with Windows 8.0, system-wide ASLR receives entropy for non-DYNAMICBASE code only if bottom-up ASLR is enabled on a system-wide level as well. Neither EMET nor Windows Defender Exploit Guard configures system-wide bottom-up ASLR though. Because of this, Windows 8.0 through Windows 10 systems must enable specific protections for this vulnerability.
According to this article from Reversing Labs, vulnerability CVE-2017-11882 in EQNEDT32.EXE is actively misused by Cobalt hacker group. The security experts found a modified RTF file addressing this vulnerability, that has been spread via email attachments. Some more details may be found at Bleeping Computer.
0patch has published a few days ago the blog post Microsoft's Manual Binary Patch For CVE-2017-11882 Meets 0patch, describing the vulnerability and a micro patch. More details may be found within the linked article. The odd thing: This 0-day-patch seems not to be released in Office versions before Office 2007.