During Anomali Threat Researcher’s tracking of the “Royal Road” Rich Text Format (RTF) weaponizer, commonly used by multiple Chinese threat actors to exploit CVE-2017-11882 and CVE-2018-0802, it was discovered that multiple Chinese threat groups updated their weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798 late 2018. We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor.
The analyzed RTF files share the same object dimension (objw2180objh300) used to track the RTF weaponizer in our previous report, however, the sample was not exploiting CVE-2017-11882 or CVE-2018-0802. After further analysis, it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32). CVE-2018-0798 does not appear to be a commonly exploited In The Wild (ITW) even though it is more reliable compared to other well-known EE RCE counterparts,this is mainly because C|VE2018-0798 works with all EE versions while the counterparts are limited to specific versions. CVE-2017-11882 is only exploitable on an unpatched version prior to its fix, and CVE-2018-0802 is only exploitable on the version released to fix CVE-2017-11882. In contrast, a threat actor utilizing CVE-2018-0798 has a higher chance of success because it is not limited by version.
Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798. Some of the analyzed samples have a creation date of November 19, 2017 (five days after a patch was released for CVE-2017-11882), however, that date appears to be in ..
Support the originator by clicking the read the rest link below.
