{"id":2763,"date":"2024-09-25T19:51:44","date_gmt":"2024-09-25T19:51:44","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2763"},"modified":"2025-07-29T06:37:52","modified_gmt":"2025-07-29T06:37:52","slug":"malware-targeting-cve-2017-11882-caught-in-the-wild","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/malware-targeting-cve-2017-11882-caught-in-the-wild\/","title":{"rendered":"Malware targeting CVE-2017-11882 caught in the wild"},"content":{"rendered":"
\n
\"Malware<\/figure>\n<\/div>\n\n\n

At LMNTRIX Labs, we\u2019ve accessed a malware sample exploiting the recently-discovered Microsoft Equation Editor buffer overflow vulnerability. The vulnerability, CVE-2017-11882, was patched in last month\u2019s Patch Tuesday release, so if you haven\u2019t already done so, you can install the patch here<\/a>.

The flaw is a remote code execution vulnerability which allows attackers to run malicious code on a victim computer. It is present in all Windows versions released in the past 17 years. To be clear, this isn\u2019t just a theoretical vulnerability \u2013 there is even evidence suggesting it is being exploited by the Iranian group APT34<\/a>.

So, let\u2019s take a look at the sample we\u2019ve managed to get our hands on:

Sample Details:  <\/strong><\/p>\n\n\n\n

Filename <\/strong><\/td>PO_GFC-17120001.doc<\/td><\/tr>
Md5<\/strong><\/td>a3d89108e4a13900c299d7c5f6d687e0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Exploitation Technique:<\/strong> 

Over 17 years ago, Microsoft complied a component called Microsoft Equation Editor as part of Microsoft Office. The vulnerability exists because Microsoft\u2019s out of process COM server is hosted by eqnedt32.exe running as a singleton process which can accept commands from foreign processes.

Our sample exploits the remote code execution capabilities of \u201ceqnedt32.exe\u201d and the OLE (Object Linking and Embedding) equation object flaw, which allows documents and other objects to be embedded or linked to in applications. 

Distributed via spam email, the malicious doc file \u201cPO_GFC-17120001.doc\u201d includes \u201cOLEStartupAsServer<\/strong>\u201d and \u201cOleObjSetExtent called; x = %d, y = %d, EMBED Equation.3<\/strong>\u201d which shows the sample is targeting the OLE flaw.

Process Diagram:<\/strong>
 <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The malicious word file (PID:3024) spawns Equation Editor (PID: 3540) which calls the CMD.exe (PID:2168) to communicate with the Command and Control (C2) server hosted at 185[.]45[.]192[.]7. 

The command issued from the C2 launches the payload to execute on the Windows Equation Editor. 

At the time of analysis, not only is the C2 server still active, but no Antivirus vendors were able to detect the URL as malicious. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the malicious command from C2 is executed on the victim machine, the attackers take full control of the machine by running the exploit code. 

IOC\u2019s:<\/strong>

MD5: – a3d89108e4a13900c299d7c5f6d687e0

MD5: – 535899a1097b1105d2473637d4a86491396212e5

URL: <\/strong>

http[:]185.45.192.7\\s\\filename.exe

smb[:]\/\/185.175.208.10\/s\/r.exe

smb[:]\/\/185.175.208.10\/s\/p.exe

http[:]\/\/78.46.152.143\\\\webdav

Mitigation:<\/strong>

Although mentioned in the introduction, if you haven\u2019t applied Microsoft\u2019s latest security patch, you can do so here<\/a>. Seriously, do this now. 

Alternatively, Equation Editor can also be disabled. This article<\/a> shows step-by-step how to do so.<\/p>\n","protected":false},"excerpt":{"rendered":"

At LMNTRIX Labs, we’ve accessed a malware sample exploiting the recently-discovered Microsoft Equation Editor buffer overflow vulnerability. The vulnerability, CVE-2017-11882, was patched in last month’s Patch Tuesday release, so if you haven’t already done so, you can install the patch here. The flaw is a remote code execution vulnerability which allows attackers to run malicious […]<\/p>\n","protected":false},"author":1,"featured_media":2766,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2763"}],"version-history":[{"count":5,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2763\/revisions"}],"predecessor-version":[{"id":4310,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2763\/revisions\/4310"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2766"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}