MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt
This event is generated when an RTF file that is seen using indicators observed in APT group activity.
Potential Code Execution
This rule targets an APT campaign leveraging CVE-2018-0798 which exploits an undisclosed vector in the Equation Editor for Microsoft Office. In particular this is geared towards the overwrite of the least significant two bytes of the return address for code execution.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2018-0798Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
||Ease of Access||LOW