Three well-known and out-of-date CVEs in Microsoft Word and Excel continue to represent a threat to the cybersecurity sector even though they are not 0-day or even 1-day vulnerabilities.

Researchers discovered several linkages between these three CVEs, including technical ploys to hide the malicious documents' dangerous nature and enticing subject lines intended to deceive users into opening the document.

In 2023, over 13,000 samples utilizing outdated CVEs were detected in the wild. The goal of using various forms and tactics, such as DOC(X), XLS(X), and RTF, is to deceive the user into clicking and distributing the subsequent infection, according to CheckPoint.

The operators of mallocs choose profitable industries to attack, such as government, healthcare, banking, and finance.

Affected Countries

Three Antiquated and Well-Known CVEs for Microsoft Word and Excel

1. CVE-2017-11882 (Technical Analysis by Palo Alto)
2. CVE-2017-0199 (Technical Analysis by Perception Point)
3. CVE-2018-0802 (Technical Analysis by Check Point Software Technologies)

Several notorious malware families, including Dridex in 2017, Guloader in 2021, LokiBot in 2018, and others, were disseminated using maldocs with specific CVEs. In 2023, the situation did not alter even though some notable additions to the distributed payloads were discovered, including samples used by Agent Tesla, Gamaredon APT, and Formbook/Xloader.

The most notable samples are those used in Gamaredon APT activities. Gamaredon APT is a renowned hacker group that receives state sponsorship from Russia.

In October 2022, the popular malware family known as Agent Tesla topped the list of most prevalent malware. This sophisticated RAT may be used as both an information stealer and a keylogger.

Another malware family that has been seen to be propagated using maldocs is GuLoader. Several attacks have exploited the well-known shellcode-based downloader GuLoader to spread various varieties of the "most wanted" malware.

Infostealer malware, or Formbook, was first discovered in 2016. Among the various types of data it retrieves from infected systems are screenshots, keystrokes, and credentials saved in web browser cookies. Maldocs come in many shapes and sizes, but one of their most common tricks is a badly designed paragraph that asks the user to "enable editing" for this document.

Malicious Excel documents could be encrypted, making analysis more difficult. The encryption and decryption processes are handled by the MS Enhanced RSA and AES crypto-providers.

Malicious documents can use a variety of strategies, including obfuscated VBA macros, massive oleObjects, weird URLs, and shellcodes. Researchers stated that “this malware needs to be identified and stopped as soon as possible, and the methodology of the 5-year-old spreading method needs to be well known.”