Microsoft bug CVE-2017-11882 exploited to deliver Loki information stealer
Attackers continue to exploit a recently patched remote code execution vulnerability in the Microsoft Equation Editor component of Microsoft Office, this time using the bug to deliver a modified version of Loki information-stealing malware.
The vulnerability, CVE-2017-11882, is a memory corruption bug that was patched on 14 November, yet reportedly has already been leveraged in multiple in-the-wild attacks that deliver malware such as Cobalt, POWRUNER, BONDUPDATED, Pony/FAREIT, FormBook, ZBOT, and Ursnif.
According to a Thursday blog post from Trend Micro, the Loki campaign has so far targeted the US, France, Hong Kong, Croatia, India, Australia, South Korea, and Mauritius. Loki can harvest data from File Transfer Protocol (FTP) clients, web browsers, email clients, and IT administration tools such as PuTTY, and it also acts as a malware loader capable of capturing keystrokes.