2018-04-21 “TOP URGENT//: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882/Possible Remcos Infection
Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: http://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS RAT FROM MALSPAM And some similarities to this post: 2017-06-23 LOKI BOT MALWARE USING CVE 2017-0199 as well. Most of the activity from this infection was on the host and not much at the network level from what I was able to determine. All the artifacts found from this investigation…