On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.
- VT: https://www.virustotal.com/#/file/189d2dc825a3b1f00b91d3e0b7678b7fb128e74d831d99487b80cbf5cf805a74/detection
- Anyrun: https://app.any.run/tasks/e3d99cd3-8886-48f1-a8ce-dde0cbbe0889