Equation Editor—Attackers continue to exploit CVE-2017-1182….

Menlo labs has observed limited attacks, where attackers are continuing to exploit CVE-2017-11882, an old Microsoft exploit with a patch that was issued more than two years ago. As a matter of fact, an FBI report published on May 12 2020, listed it as one of the top 10 vulnerabilities routinely getting exploited. We are still analyzing some details of the malware involved in the three attacks and will post it in part 2 of this series. The following are some noteworthy features in all the attacks we identified

AWS Builder Community Hub


    • All of the weaponized payloads were hosted on well known cloud security storage platforms -me, and onedrive

    • We don’t believe all the attacks were part of the same campaign as there is no infrastructure overlap and each attack leverages different malware

    • Different malware droppers were used in the attacks for post exploitation exfiltration and persistence

    • The attacks we saw targeted 

      • Hong Kong

      • North America

    • The following industry verticals were targeted

      • Real Estate

      • Entertainment

      • Banking

    • In all the attacks we observed, the exploit remained the same, but different Remote Access Trojans were delivered


    • What is Equation Editor?

      • Equation Editor is a feature in Microsoft Office that lets the user embed a mathematical equation or a formula inside any office document.

    • What is CVE-2017-11882?

      • CVE-2017-11882 is a Microsoft Office exploit that has been written about extensively. In a nutshell, the exploit takes advantage of a stack buffer overflow vulnerability in the Microsoft Equation Editor. Due to the manner in which the Equation Editor executable was compiled and linked, it was not using the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features

      • This exploit was initially used by APT groups, but was soon incorporated by crimeware groups for widespread use. In January 2018, Microsoft patched all versions of Microsoft Office for this vulnerability. This gave rise to two newer versions of exploits targeting the Equation Editor

        • CVE-2018-0802—Targets the equation editor, but only works on the versions that were patched for CVE-2017-11882

        • CVE-2018-0798—Targets the equation editor, but works on all versions

Technical Analysis

Attack 1

The first attack we observed was served from A subdomain under was used to serve an RTF file. If the user opens the Word document, CVE-2017-11882 is triggered and an HTTP request to a site is made. The site redirects to Femto uploader, which ironically, has stopped anonymous uploads because of the excessive abuse by attackers hosting their malicious payloads (see screenshot below)


Equation Editor Blog_Fig1


Once the executable hosted at femto is downloaded and executed on the endpoint, there is another HTTP request to, from where, data is downloaded.


The downloaded data goes through some character replacements, see screenshot below and eventually the NetWire RAT gets downloaded.


Equation Editor Blog_Fig2


Netwire is a remote access trojan that has been around for a while. The trojan was primarily used to steal credential and payment card data.


Equation Editor Blog_Fig3


Attack 2

The second attack we observed was hosted on which looks like a popular file sharing website. The file hosted on this website was a malicious Microsoft excel, with the name Petratex – PO_RFQ.xlsx. Once the Microsoft excel spreadsheet is opened, a HTTP request is made to download the Agent Tesla malware. Agent Tesla is a well known malware and has been well documented. It is a fully functioning RAT (Remote Access Trojan) that is capable of stealing credentials, taking screenshots, downloading additional files.



Equation Editor Blog_Fig4


Attack 3

The third attack we noticed used the lure of Authorization as the filename.  This file was hosted on the one drive. Opening the excel file resulted in a binary downloaded from “”, as is shown in the screenshot below.



Equation Editor Blog_Fig5


The executable downloaded is the Houdini or H-Worm RAT. The following functionalities are built into the RAT.







Executes a file specified by the C2



Overwrites the installed malware with an updated version and executes it



Deletes all the reg keys created and the file



POST request to download file from C2



GET request to download file from C2



Upload a file specified by the C2, to the C2. The POST request is sent to the URI /is-rlartg POST /is-rlsartg{*}<file_name>



Sleep for a specified period of time

Menlo Security has a more detailed write up about this RAT


The fact that CVE-2017-11882 is continuing to be exploited speaks not only to the reliability of the exploit, but to the fact that there are companies out there that are still using outdated software. Patching applications and operating systems to protect them against security issues is critical, but the shortage of cybersecurity professionals combined with the ever changing enterprise environment makes it harder for enterprises to put a proper patch management process in place.


*** This is a Security Bloggers Network syndicated blog from Menlo Security Blog authored by Vinay Pidathala. Read the original post at: