The email text changes, but the system is always the same. Xz attachment contains an exe, the malware itself, which should load other payloads. Today, however, it is unknown which.
Microsoft: Cybercrime has launched a wave of spam in the EU with RTF documents armed with malware. Cyber criminals, through malspam, want to spread a backdoor Trojan
The cybercrime has launched a wave of spam to spread RTF documents “armed” with malware in the EU. This was discovered by Microsoft’s cyber security researchers. The text of the emails, in fact, is made in various languages. As the Cert-Pa reminds, the attachment downloads and executes multiple scripts of different types (VBScript, PowerShell, PHP and others), trying to recover from remote servers that part of the code that actually leads to infection. The chain of infection is achieved by simply opening malicious RTF documents on vulnerable versions of Office, while the final payload is a generic backdoor trojan. After the warning from Microsoft, the command and control server (C2) of the malicious code does not seem to be active anymore. It is probable, however, that in the near future there will be other malspam campaigns, which will exploit the same dynamic and new versions of the Trojan.
Cyber security experts: An old vulnerability is exploited, which many have not yet patched. The Cert-PA provides other elements and ways to mitigate the threat
For attacks in the EU, cybercrime exploits the CVE-2017-11882 vulnerability. This was discovered in 2017 by Embedi cyber security researchers. Experts have found that cyber criminals spread an Office document with a special exploit, which allowed the execution of code on users’ devices without interaction. In November of the same year, Microsoft released a first patch. Then, in 2018 with a new update, it removed the “Editor” from the Word versions (starting with Office 2007). Many users and companies, as confirmed by the waves of cyber attacks that exploit even old flaws, do not update their software. This allowed the malicious actors to launch new attacks, including the latter, despite the vulnerability being theoretically resolved. By the way, Cert-Pa has published a note, which provides important details on the threat and how to mitigate it.