CVE-2017-11882

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful RTF files that exploit this and other vulnerabilities in the Equation Editor, enabling the delivery of malware to unpatched systems. Over time, this vulnerability has been used to spread numerous notorious malware families. For instance, it was used to disseminate Dridex in 2017 and Guloader in 2021. More recently, Zscaler ThreatLabz highlighted a threat campaign that leveraged CVE-2017-11882 to spread the Agent Tesla information-stealing malware. This malware, offered within the Malware-as-a-Service (MaaS) framework, provides an initial entry point into compromised systems and enables the download of more advanced tools, such as ransomware. Various threat actors have exploited CVE-2017-11882 in their campaigns. For example, LuckyMouse weaponized Office documents using this vulnerability, although there is no evidence of this technique being employed in a specific attack against a data center. Furthermore, TA558 campaigns tracked by Palo Alto Networks, Cisco Talos, and Uptycs have used malicious Microsoft Word document attachments or remote template URLs exploiting CVE-2017-11882 to download and install malware. These instances underline the ongoing threat posed by outdated Microsoft Word and Excel vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Vulnerability
Tesla
Microsoft
Exploit
Chinese
State Sponso...
Proofpoint
Qualys
Phishing
Maas
Payload
Ransomware
Zscaler
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Agent TeslaUnspecified
5
Agent Tesla is a sophisticated malware designed to infiltrate systems and extract sensitive data. It's often spread through phishing attacks, exploiting an old Microsoft Office flaw (CVE-2017-11882) to gain access to unsuspecting users' devices. Once embedded in a system, Agent Tesla can collect a w
FormbookUnspecified
3
Formbook is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
PowerShowerUnspecified
2
PowerShower is a malware variant that emerged as a significant threat due to its ability to exploit and damage computer systems. It was first observed in attacks against European targets in October 2018, where it exploited the CVE-2017-11882 vulnerability. The malware, written in PowerShell, was dow
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
GuLoaderUnspecified
2
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
BONDUPDATERUnspecified
1
BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allo
CannonUnspecified
1
The Cannon malware is a sophisticated and harmful program designed to infiltrate computer systems, often through suspicious downloads, emails, or websites. The actor initiates the attack by sending an email to a specific address with a unique system identifier as the subject and a file path for the
PlugXUnspecified
1
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
PoisonIvyUnspecified
1
PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintai
DridexUnspecified
1
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
HailbotUnspecified
1
HailBot is a malicious software variant that emerged in September 2023, based on the Mirai source code. This malware was identified and analyzed by cybersecurity firm NSFOCUS and content delivery network Akamai. It is known to propagate through exploitation of vulnerabilities and weak passwords, wit
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a form of malware that has been linked to significant ransomware activity. It is loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version via vm.cfg. This malicious software can infiltrate systems and enable backdoor functiona
POWRUNERUnspecified
1
Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites.
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT40Unspecified
1
APT40, also known as Red Ladon or IslandDreams, is a China-linked cyber espionage group that typically targets countries strategically important to China's Belt and Road Initiative. The group has been observed using at least 51 different code families, with its attack vectors often involving spear-p
Cloud AtlasUnspecified
1
Cloud Atlas, a sophisticated threat actor group, has been actively involved in cyber-espionage activities against various nations, primarily targeting Russia and former Soviet Union countries such as Belarus, Kazakhstan, and Azerbaijan. This group employs advanced techniques to evade detection and e
OceanLotusUnspecified
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
APT32Unspecified
1
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
Oceanlotus GroupUnspecified
1
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
Cobalt GroupUnspecified
1
The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o
LuckyMouseUnspecified
1
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
APT34Unspecified
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-0802Unspecified
2
None
CVE-2017-0199Unspecified
2
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
CVE-2018-0798Unspecified
1
None
Source Document References
Information about the CVE-2017-11882 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
5 months ago
Security Affairs newsletter Round 456 by Pierluigi Paganini
MITRE
a year ago
SideWinder APT Targets with futuristic Tactics and Techniques
MITRE
a year ago
LuckyMouse hits national data center to organize country-level waterholing campaign
MITRE
a year ago
APT40: Examining a China-Nexus Espionage Actor | Mandiant
CERT-EU
a year ago
Chinese Hackers Targeted G7 Summit Through MS Office Flaw
Securityaffairs
2 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 453 by Pierluigi Paganini
CERT-EU
9 months ago
Years-old Microsoft bugs are still hot targets for criminals
Securityaffairs
3 months ago
Security Affairs newsletter Round 461 by Pierluigi Paganini
CERT-EU
a year ago
SOC First Defense - Understanding The Cyber Attack Chain - A Defense with/without SOC
CERT-EU
7 months ago
New Variant of Agent Tesla Malware Utilises ZPAQ Compression Format in Targeted Cyber Attacks
MITRE
a year ago
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
CERT-EU
6 months ago
Hackers Exploiting Old Microsoft Office RCE Flaw to Deploy Agent Tesla Malware
Checkpoint
4 months ago
Maldocs ­of Word and Excel: Vigor of the Ages - Check Point Research
Securityaffairs
a month ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
Securityaffairs
2 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
MITRE
a year ago
Tropic Trooper’s New Strategy
CERT-EU
6 months ago
HCL reviews ransomware, Agent Tesla, JavaScript bank malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Checkpoint
4 months ago
12th February – Threat Intelligence Report - Check Point Research