Hackers Exploit MS Equation Editor Vulnerability to Deploy XLoader Malware

A sophisticated phishing campaign exploiting a nearly 8-year-old Microsoft Office vulnerability to distribute the dangerous XLoader information stealer. 

The attack leverages CVE-2017-11882, a memory corruption vulnerability in Microsoft’s Equation Editor component, demonstrating that cybercriminals continue to successfully weaponize older security flaws.

Phishing Campaign Exploits Equation Editor Vulnerability (CVE-2017-11882)

The attackers are sending phishing emails disguised as purchase or order confirmations, prompting recipients to open attached DOCX files to verify transaction details. 

A harmless document actually contains a malicious RTF file that triggers the equation editor vulnerability.

“These emails trick recipients into opening a DOCX attachment that secretly contains a malicious RTF file exploiting a known vulnerability (CVE-2017-11882) in Microsoft’s Equation Editor,” explained ASEC researchers.

The attack chain begins when victims open the DOCX file, which creates an external connection to execute the embedded RTF document. 

The RTF then creates a “Client.vbe” file in a temporary folder and exploits the equation editor vulnerability to execute the command.

The campaign utilizes HorusProtector, a commercial malware protection and distribution tool that has evolved since its first detection in 2024. 

Unlike earlier variants that downloaded payloads from command-and-control servers, the current version embeds the entire malware payload directly in the VBE file, increasing its size from approximately 10KB to 1.34MB.

Visual Basic Scripts are used by the Horus Protector distribution service to covertly distribute malware. 

The script eventually inserts the malicious FormBook payload straight into memory by using PowerShell as a Living-off-the-Land approach, disguising itself as an authentic native process.

XLoader: A Formidable Information Stealer

The final payload is XLoader, a sophisticated information stealer that evolved from the FormBook malware family. 

Available on underground forums as Malware-as-a-Service, XLoader targets both Windows and macOS systems.

Once installed, XLoader can:

• Record keystrokes and capture screenshots.
• Steal clipboard data including cryptocurrency transactions.
• Extract credentials from web browsers, email clients, and messaging applications.
• Harvest cryptocurrency wallet information.
• Download additional malware payloads.

Despite being patched in 2017, the Equation Editor vulnerability remains effective because many organizations fail to apply updates consistently. Security experts recommend:

• Ensuring all Microsoft Office installations are fully patched.
• Implementing email filtering solutions that can detect malicious attachments.
• Disabling the Equation Editor component if not needed.
• Training users to be cautious of unexpected email attachments.

“The fact that malwares exploiting past vulnerabilities are still being distributed implies that there are still many users in vulnerable environments,” warned ASEC researchers.

This campaign highlights how cybercriminals continue to successfully leverage older vulnerabilities in their attacks, underscoring the critical importance of maintaining up-to-date security patches even for legacy software components.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.