CVE-2017-11882

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful RTF files that exploit this and other vulnerabilities in the Equation Editor, enabling the delivery of malware to unpatched systems. Over time, this vulnerability has been used to spread numerous notorious malware families. For instance, it was used to disseminate Dridex in 2017 and Guloader in 2021. More recently, Zscaler ThreatLabz highlighted a threat campaign that leveraged CVE-2017-11882 to spread the Agent Tesla information-stealing malware. This malware, offered within the Malware-as-a-Service (MaaS) framework, provides an initial entry point into compromised systems and enables the download of more advanced tools, such as ransomware. Various threat actors have exploited CVE-2017-11882 in their campaigns. For example, LuckyMouse weaponized Office documents using this vulnerability, although there is no evidence of this technique being employed in a specific attack against a data center. Furthermore, TA558 campaigns tracked by Palo Alto Networks, Cisco Talos, and Uptycs have used malicious Microsoft Word document attachments or remote template URLs exploiting CVE-2017-11882 to download and install malware. These instances underline the ongoing threat posed by outdated Microsoft Word and Excel vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Vulnerability
Microsoft
Tesla
Exploit
Chinese
Qualys
Phishing
Maas
Payload
Ransomware
Proofpoint
State Sponso...
Zscaler
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Agent TeslaUnspecified
5
Agent Tesla is a malicious software (malware) that exploits and damages computer systems, often infiltrating the system through suspicious downloads, emails, or websites. This malware can steal personal information, disrupt operations, and potentially hold data for ransom. Agent Tesla has been obser
FormbookUnspecified
3
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
PowerShowerUnspecified
2
PowerShower is a malware variant that emerged as a significant threat due to its ability to exploit and damage computer systems. It was first observed in attacks against European targets in October 2018, where it exploited the CVE-2017-11882 vulnerability. The malware, written in PowerShell, was dow
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
GuLoaderUnspecified
2
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
POWRUNERUnspecified
1
Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites.
BONDUPDATERUnspecified
1
BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allo
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
PoisonIvyUnspecified
1
PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintai
DridexUnspecified
1
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
CannonUnspecified
1
The Cannon malware is a sophisticated and harmful program designed to infiltrate computer systems, often through suspicious downloads, emails, or websites. The actor initiates the attack by sending an email to a specific address with a unique system identifier as the subject and a file path for the
HailbotUnspecified
1
HailBot is a malicious software variant that emerged in September 2023, based on the Mirai source code. This malware was identified and analyzed by cybersecurity firm NSFOCUS and content delivery network Akamai. It is known to propagate through exploitation of vulnerabilities and weak passwords, wit
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LuckyMouseUnspecified
1
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Cloud AtlasUnspecified
1
Cloud Atlas, a sophisticated threat actor group, has been actively involved in cyber-espionage activities against various nations, primarily targeting Russia and former Soviet Union countries such as Belarus, Kazakhstan, and Azerbaijan. This group employs advanced techniques to evade detection and e
APT40Unspecified
1
APT40, a Chinese cyber espionage group suspected to be linked to the People's Republic of China (PRC) Ministry of State Security, has been identified as a significant threat actor. The group typically targets countries strategically important to China's Belt and Road Initiative. Over the years, APT4
APT34Unspecified
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
OceanLotusUnspecified
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
APT32Unspecified
1
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
Cobalt GroupUnspecified
1
The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o
Oceanlotus GroupUnspecified
1
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-0802Unspecified
2
None
CVE-2017-0199Unspecified
2
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
CVE-2018-0798Unspecified
1
None
Source Document References
Information about the CVE-2017-11882 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
5 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
6 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
12 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
20 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
a month ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Fortinet
2 months ago
New Agent Tesla Campaign Targeting Spanish-Speaking People | Fortinet Blog
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
3 months ago
To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity
3 months ago
Steganography Campaign Targets Global Enterprises
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
4 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini
CERT-EU
5 months ago
Kaspersky spam and phishing report for 2023