{"id":11336,"date":"2022-04-09T16:23:34","date_gmt":"2022-04-09T16:23:34","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11336"},"modified":"2022-04-09T16:23:34","modified_gmt":"2022-04-09T16:23:34","slug":"fake-payment-for-message-malspam-using-cve-2017-0199-word-rtf-embedded-ole-link-exploit","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-payment-for-message-malspam-using-cve-2017-0199-word-rtf-embedded-ole-link-exploit\/","title":{"rendered":"Fake Payment For Message Malspam Using CVE-2017-0199 Word \/Rtf Embedded Ole Link Exploit"},"content":{"rendered":"
An email with the subject of PAYMENT FOR YAREED [ I am assuming random names) coming from random names and email addresses with a malicious word doc attachment delivers some sort of malware via the CVE-2017-0199 word \/rtf embedded ole link exploit attack. If you have updated Microsoft Word with the patches to protect yourself against these, then you are safe.<\/p>\n
If you have not, then just opening the word doc with no further action on your part, will infect you. I cannot stress strongly enough how vitally important it is to apply these patches IMMEDIATELY from windows update . The attachment is named along the lines of PO NO- <subject name>-2017.doc So when all the names match up in subject, attachment and body of email, it is more likely that a recipient will open the attachment & get infected, because the social engineering aspect of these makes it more believable.<\/p>\n
I currently cannot find any actual malware, just an infection chain that appears to end with a download of a genuine version of Putty.exe ( a SSH, Telnet and SFTP client, used for server admin work)<\/p>\n
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.<\/p>\n
I have only seen 1 copy so far today myself , but there will no doubt be loads flying around out there.<\/p>\n
The email looks like:<\/p>\n
From:<\/strong> ye5789@ms51.hinet.net<\/p>\n Date:<\/strong> Thu 04\/05\/2017 02:29<\/p>\n Subject:<\/strong> PAYMENT FOR YAREED<\/p>\n Attachment:<\/strong> PO NO- YAREED-2017.doc ( 30kb) and PO NO.- YAREED-2017.doc (7kb)<\/p>\n Good day,<\/em><\/p>\n Payment has been made yesterday as instructed by YAREED<\/em><\/p>\n Evidence of payment is attached<\/em><\/p>\n Waiting for your early reply<\/em><\/p>\n Thanks.<\/em><\/p>\n \u2014 \u672c\u90f5\u4ef6\u4f86\u81eaHiNet WebMail \u2014<\/em><\/p>\n Email Headers:<\/strong><\/p>\nBody Content:<\/strong><\/h3>\n