Microsoft Office Bug Remains Top Malware Delivery Vector

CVE-2017-11882 has been attackers favorite malware delivery mechanism throughout the second and third quarters of 2019.

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.
Emotet began to surge toward the end of last quarter, according to Cofenses Q3 2019 Malware Trends Report, the latest report in a series of phishing updates throughout the year. Summer lulls are not uncommon for cybercriminals, says threat intelligence manager Mollie MacDougall, as attackers and targets take more holidays. Emotets summer break contributed to the quiet.
It wasnt completely silent on the phishing front. Researchers saw a shift from mostly information stealers in the second quarter, to keyloggers, namely Agent Tesla, in the third. The change doesnt necessarily reflect a broader shift to keyloggers; nor does it relate to a specific campaign. The unconfirmed likelihood, MacDougall says, is Agent Tesla was cracked, enabling unpaid access to the service and increasing its popularity. Paid users of the keylogger can access an easy-to-use Web interface and customer support via Discord, enabling simpler propagation.
Threat actors presumably saw an opportunity to leverage a cheap solution that does not require much effort for decent profit, namely in the form of credentials or sensitive information, she adds.
Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware. The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a prolific technique for attackers to spread malware through phishing attacks,
researchers report
.
The memory corruption vulnerability, now patched, had existed for 17 years before a fix was
released
in Nov. 2017. This remote code execution bug exists in Microsoft Office when the software fails to properly handle objects in memory. Its exploited using Office attachments, which may range from Excel spreadsheet, to Word docs, to RTF files. When a victim clicks a malicious document, the exploit is triggered and usually downloads a stage two malware.
Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders. Attackers consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.
Around the holidays, phishing emails with malware often demonstrate a change in trend, opting for holiday greeting cards and graphics or sound with underlying nefarious code, says MacDougall. Emotets operators typically pause around Russian Orthodox Christmas, she points out, and the threat typically experiences a resurgence in activity right before then – activity reserachers began to see ramp up toward the end of the third quarter, MacDougall notes. Researchers anticipate Emotets operators will increase its volume and sophistication.
Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones.
GandCrab
was taken offline;
Sodinokibi
, the ransomware that shares some of its code base, has seen a low rate of dissemination. Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.
The decline of RaaS may continue, but we definitely expect more targeted ransomware campaigns to continue and likely increase, says MacDougall, noting it is key to differentiate betwteen RaaS and targeted ransomware campaigns going after high-value target. With the sustained decline in active RaaS families in the last two years, that model seems to have been tabled as unlucrative as compared to other TTPs, she adds of RaaS campaigns.
For more sophisticated attackers, targeted ransomware campaigns are bringing in larger payouts, especially as insurance companies contribute to ransom payments. The combination of insurers involvement, along with stories of how companies struggled to recover without paying ransom, may lead to a test-the-water resurgence in RaaS further down the road.
Looking ahead to the fourth quarter and beyond, MacDougall anticipates attackers will continue to use delivery mechanisms that work best, often abusing software features that are essential to daily business operations along with known vulnerabilities. Emotet is predicted to remain in operation for as long as possible with periods of quiet for updates and retooling. Finally, she expect more election-focused campaigns as both nation-states and non-state groups aim to influence the 2020 elections with information operations and cyber espionage.
Related Content:
8 Ways Businesses Unknowingly Help Hackers
40% of Security Pros Job Hunting as Satisfaction Drops
Apple Boots 17 Trojan-Laden Apps From Mobile Store
Mobile Users Targeted With Malware, Tracked by Advertisers
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Developers: The Cause of and Solution to Securitys Biggest Problems
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Office Bug Remains Top Malware Delivery Vector