Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

June 13, 2024, 10:33 a.m.

Description

This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. The keylogger collects system information, keystrokes, and clipboard data, which are sent to a command-and-control server. The report highlights the importance of patching vulnerabilities and keeping software up-to-date to prevent such attacks.

External References

https://asec.ahnlab.com/en/66720/
https://otx.alienvault.com/pulse/666ac69198896ad749549d5b
Tags
apt
CVE-2017-11882
2024-06-13
keylogger

Date

  • Created: June 13, 2024, 10:14 a.m.
  • Published: June 13, 2024, 10:14 a.m.
  • Modified: June 13, 2024, 10:33 a.m.

Attack Patterns

  • Kimsuky
  • T1120
  • T1080
  • T1059.003
  • T1059.001
  • T1518.001
  • T1573
  • T1070
  • T1574
  • T1518
  • T1082
  • T1057
  • T1071
  • T1027
  • T1053
  • T1112
  • T1056
  • T1090
  • T1059

Linked vulnerabilities

CVE-2017-11882

None
Published: