Microsoft's security researchers have issued a warning on Friday afternoon about an ongoing spam wave that is spreading emails carrying malicious RTF documents that infect users with malware without user interaction, once users open the RTF documents.
Microsoft said the spam wave appears to target European users, as the emails are sent in various European languages.
"In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload," the Microsoft Security Intelligence team said.
The final payload is a backdoor trojan, Microsoft said. Fortunately, the trojan's command and control server appears to have gone down by Friday, when Microsoft issued its security alert.
However, there is always the danger of future campaigns that may exploit the same tactic to spread a new version of the backdoor trojan that connects to a working server, allowing crooks direct access to infected computers.
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw[1]
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019[2]
CVE-2017-11882 vulnerability
The good news is that users can be completely safe from this spam campaign. The initial infection vector relies on an old Office vulnerability that Microsoft patched back in November 2017.
Users who applied the November 2017 Patch Tuesday security updates should be safe.
The vulnerability is tracked as CVE-2017-11882[3]. This is a codename for a vulnerability in an older version of the Equation Editor component that ships with Office installs, and used for compatibility purposes in addition to Microsoft's newer Equation Editor module.