CVE-2018-0802 packager exec proof-of-concept

CVE-2018-0802 (new Equation Editor exploits) in wild now. Exploit which embeds any .exe and runs, using OLE Packager.dll function.

During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.

The attack uses the following process to drop and execute the payload on a system.

  1. The User opens the Office document and enables macros.
  2. The macro saves the active document as an RTF file.
  3. The macro silently opens the RTF document.
  4. On Open the RTF document drops the embedded object to Temp.
  5. The macro executes the dropped file.

Packager spec based on:
https://phishme.com/rtf-malware-delivery/

Dropping method by Haifei Li:
https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/

Found being used itw by @MalwareParty:
https://twitter.com/MalwareParty/status/943861021260861440

Source code: packager_exec_CVE-2018-0802.py at github.com

One thought on “CVE-2018-0802 packager exec proof-of-concept”

Leave a Reply

Your email address will not be published. Required fields are marked *