Microsoft Security Intelligence official Twitter account released a series of security warnings this week, all of which were issued for Microsoft Office RTF vulnerabilities. In the past few years, there have been more security vulnerabilities in WordPad applications, allowing attackers to create malicious RTF and Word documents to automatically attack users. In theory, as long as the user opens a malicious RTF or Word document, it will be infected. After opening a malicious file, the user was infected, so the user will not notice it.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
Recent monitoring by the Microsoft Security Intelligence Center found that the use of WordPad vulnerabilities began to increase, which means that active hackers are exploiting the above vulnerabilities. The main means of attackers currently discovered is to use spam to spread the message. In the spam, the attacker induces the user to actively open the documents in the attachment. These documents contain malicious code that automatically invokes PowerShell execution commands when the user opens, saving malicious files to the cache directory ready to run. After that, the virus will also add itself to the mission plan so that it can be self-starting. Microsoft said that the downloaded malicious files are analyzed as backdoors.
Microsoft fixed the vulnerability in the November 2017 security update, so it is recommended that all users install Office security patches in a timely manner.