CVE-2018-0802 (new Equation Editor exploits) in wild now. Exploit which embeds any .exe and runs, using OLE Packager.dll function.
During malware analysis we often see attackers using features in creative ways to deliver and obfuscate malware. We’ve recently seen an increase with samples leveraging RTF temp files as a delivery method to encapsulate and drop malware.
The attack uses the following process to drop and execute the payload on a system.
- The User opens the Office document and enables macros.
- The macro saves the active document as an RTF file.
- The macro silently opens the RTF document.
- On Open the RTF document drops the embedded object to Temp.
- The macro executes the dropped file.
Packager spec based on:
Dropping method by Haifei Li:
Found being used itw by @MalwareParty: