Fake Quotation Request with malformed RTF file attachments delivering Lokibot

Another day and yet another malformed. malicious word doc attachment that is a renamed RTF file delivering Lokibot malware. These criminal gangs are really playing around with RTF files and constantly changing the header control word to try to bypass Anti-Virus & Next Gen protection. Today’s version is using a {\rtv0 header which isn’t of course any approved header, but Microsoft Office Word will open anything that starts with {\rt and just about ignores the rest of the control word. There is some dispute which Equation editor exploit is involved in this campaign. Anyrun says CVE-2017-11882, whereas various detections on … Continue reading →

Article Link: https://myonlinesecurity.co.uk/fake-quotation-request-with-malformed-rtf-file-attachments-delivering-lokibot/