Three long-standing vulnerabilities in Microsoft Word and Excel, despite not being 0-day or even 1-day, continue to pose a threat to the cybersecurity industry. According to researchers, these three CVEs, CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802, have been used in more than 13,000 samples that are lurking in the wild in 2023. These vulnerabilities are used to lure victims into clicking on malicious documents, ultimately causing malware to spread.
The affected domains that the operators of these maldocs select include lucrative industries such as banking and finance, government, and healthcare. Researchers have identified several noteworthy additions to the disseminated payloads in 2023, with samples utilized by notorious malware such as Agent Tesla, Gamaredon APT, and Formbook/Xloader. Agent Tesla, in particular, is a well-known malware family functioning as a keylogger and information stealer.
In 2023, the scenario related to the exploitation of these old CVEs remained unchanged. The maldocs exploiting these vulnerabilities have been used to spread several infamous malware families over the years, including Dridex, Guloader, LokiBot, and others. Furthermore, the samples utilized in Gamaredon APT activities have been particularly noteworthy. This notorious hacker gang, which has been supported by the Russian state, has been particularly active in deploying maldocs exploiting these old vulnerabilities.
GuLoader, another malware family, has also been observed being distributed using maldocs exploiting these old CVEs. This well-known shellcode-based downloader has been used in numerous attacks to distribute several types of malware. In addition to GuLoader, Formbook, an infostealer malware initially identified in 2016, is also tied to these old CVEs, especially CVE-2017-11882.
According to researchers, maldocs can take a variety of forms, but one of their lures is a poorly formatted text that still requires the user to “enable editing” for the document. Excel malicious documents may be encrypted, which complicates analysis, as they use the MS Enhanced RSA and AES crypto-providers to carry out the encryption and decryption. They contain shellcodes, enormous oleObjects, obfuscated VBA macros, and strange URLs as part of their techniques.
Researchers have emphasized the importance of preventing the spread of this malware, stating that the methodology of this 5-year-old spreading method must be well known, and the malware must be detected and stopped as early as possible.
In light of these ongoing threats, there are several recommendations for users to protect themselves. It is crucial to update the operating system and any installed apps, avoid clicking on links in unsolicited emails from unfamiliar senders, and increase staff awareness of cybersecurity. If unsure, it is advisable to speak with a security expert, as preventing an issue is better than treating it.
This development underscores the ongoing threat posed by the exploitation of these old CVEs in Microsoft Word and Excel. Despite their age, these vulnerabilities continue to be used by threat actors to spread various types of malware, emphasizing the importance of proactive cybersecurity measures.