| Threats + Use Case

Abuse EQNEDT32.EXE CVE-2017-11882

Phishing

Overview of CVE-2017-11882

CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory-corruption vulnerabilities, the attacker can easily alter the flow of program execution.

This use case is geared towards detecting the potential malicious Microsoft Office payload(CVE-2017-11882) on host

 

References

 

Tags

Execution
APT32
APT41
Splunk
Cobalt Group
Frankenstein
Inception
Leviathan
Patchwork
Tropic Trooper
Exploitation for Client Execution

Categories: ,

APT32, APT41, Cobalt Group, Execution, Frankenstein, Inception, Leviathan, Patchwork, Splunk, Tropic Trooper, Use Cases