Open in app

Sign in

Write

Sign in

ASM Cybersecurity
4 min readNov 21, 2023
Microsoft Office Remote Code Execution Vulnerability
[CVE-2017–8570]

CVE-2017–8570 designates a security flaw found in Microsoft Office, particularly in its handling of specific components within Rich Text Format (RTF) files. This particular vulnerability could enable an attacker to execute unauthorized code on a targeted system when a user opens a specially designed RTF file.

Exploitation of this vulnerability occurs through the manipulation of RTF files, often distributed through email or websites with the intent of deceiving users into opening the malicious file.

Infection Chain:

Target — Windows Platform.

Infection Vector — Malspam campaign of phishing emails.

In this blog post, we will conduct an in-depth analysis of the MS Office CVE-2017–8570 vulnerability. This analysis will be divided into two distinct stages: Email header examination, an investigation into the attached Word document, and the subsequent payload in the RTF file.

Stage 1: Phishing Email Analysis

Analyzing phishing emails is a crucial cybersecurity activity focused on detecting and addressing phishing threats. Key elements of phishing email analysis include:

Reviewing Email Headers:

Scrutinize sender information and email routing to identify any anomalies or irregularities in the email headers.

Evaluating Content and Links:

Examine the email’s content, embedded links, and attachments to identify potential signs of phishing activity. This thorough evaluation helps in uncovering malicious elements within the email.

The email address in question is evidently invalid, and the absence of any content in the email body strongly indicates it is a targeted phishing attempt. Furthermore, without substantive information within the email, an attachment file is directly included, potentially enticing users to open it. Additionally, we can verify these findings in alternative sandboxes, and the results are provided below.

Sandbox Results

According to the sandbox analysis, the provided email address is invalid, and the hosting source is flagged on security vendor blacklists. At the initial stage, it became apparent that this is indicative of a spear-phishing attempt employing social engineering tactics.

Now, let’s proceed to examine the attached file, which happens to be a Word document named “Product Drawing.doc

Stage 2: Initial Vector of MS Word Document

Before delving into the analysis of the Word document, it’s essential to understand the attack scenario.

Attack Scenario:

When you open a document or email in Microsoft Office, you might unknowingly allow an attacker to run their own code on your computer. This gives them control over your system. This is a big problem because just opening a document or email can be enough for the attacker to send harmful software to your computer and start remote attacks with their code.

MS Word Document Template

Upon opening the Word document, the embedded content within it activates the VBScript file, initiating communication with the malicious IOc to drop the .SCT file into the temp folder, thereby advancing their infection chain.

Dropped .SCT file
FZdtfhgYgeghHCE.SCT file main scriplets

Recommendations:
Certainly, here are five straightforward steps to tackle CVE-2017–8570:

  • Regularly update all software, including operating systems and applications, to incorporate the latest security patches. This practice is crucial for addressing known vulnerabilities and bolstering overall system security.
  • Conduct routine training sessions to educate users about potential online threats, emphasizing cautious behaviour, especially when handling email attachments or clicking on links from unfamiliar sources.
  • Enhance email security with effective measures such as email filtering solutions to detect and block malicious attachments or links. This proactive approach helps prevent the infiltration of harmful content through phishing attempts.
  • Develop a dependable backup and recovery strategy for critical data. Regularly back up essential information and store backups securely to facilitate data restoration in the event of a successful cyberattack.
  • Utilize network segmentation to limit lateral movement in the case of a security breach. Adhere to the principle of least privilege by granting users and systems only the minimum necessary access, reducing the potential impact of a successful attack and enhancing overall security.

Indicator of Compromises:

  1. 935a394128e7c42b915d94309d81b6c5111641651cfaa1b8c6db2e0095b7110f File type: .DOC
  2. 6f7bcc641d33320eab77c30e24b4a48e035e7644525628047ab3b9975ed84bd2 File type : .VBA
  3. 24a86912acbefd8d78bf0f1f85d3bd6cc655afb12aaf289ba311ddee199795ab File type: .EML

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2017-8570

https://bazaar.abuse.ch/sample/935a394128e7c42b915d94309d81b6c5111641651cfaa1b8c6db2e0095b7110f/

Happy Learning!!!

Author : Priyadharshini K B (Priyadharshini is a SOC Lead and Threat Researcher at ASM Cybersecurity)

#CVE-2017–8570 #Microsoft Office security flaw #Rich Text Format (RTF) files #Unauthorized code execution #Vulnerability exploitation #Cybersecurity threat #RTF file manipulation #Email security #Malicious file opening #Cyber attack vectors #Office software vulnerabilities #Exploit detection #Security patches #System compromise #Cyber threat awareness #Malware distribution #Phishing attacks #Endpoint security #Microsoft Office updates #RTF file security

ASM Cybersecurity

Written by ASM Cybersecurity

7 Followers

Welcome to ASM Cybersecurity, a division of ASM Technologies Limited! We help you stay vigilant in the digital world. https://www.asmltd.com/cyber-security/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams