Attackers are utilising a 22-year-old Office Remote Code Execution bug. The attack works on a phishing attempt with an attached PDF file that, if clicked on, the user is prompted to open a .docx (Word Document) file. This .docx file then connects to a website to download a Rich Text File document called ‘f_document_shp.doc’.
This document exploits a vulnerability over four years old remote code execution (RCE) using Equation Editor. This is an application installed by default with an office suite used to insert and edit complex equations.
The final stage of the attack runs code that is disguised from the user and encrypted to avoid discovery. This code is then decrypted and run in the keylogger called fresh.exe.
This process sends all your credentials, data and other sensitive information back to the attacker in plain text.
Because of this vulnerability, we strongly advise that all users stay up to date with security patches issued by Microsoft. We also recommend educating your staff about phishing emails and cyber attacks and what to do if/when they receive one.