cbcvebase.
CVE-2018-0798
published 2018-01-10

CVE-2018-0798: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.12%
99.9th percentile
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".

Affected

21 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftword
microsoftword
microsoftword
microsoftword
microsoft_corporationequation_editor
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016
msrcmicrosoft_office_2016_click-to-run_for_32-bit_editions
msrcmicrosoft_office_2016_click-to-run_for_64-bit_editions
msrcmicrosoft_office_compatibility_pack_service_pack_3
msrcmicrosoft_word_2007_service_pack_3
msrcmicrosoft_word_2010_service_pack_2
msrcmicrosoft_word_2013_rt_service_pack_1
msrcmicrosoft_word_2013_service_pack_1
msrcmicrosoft_word_2016

Detection & IOCsextracted from sources · hover to see the quote

hashf599ed4ecb6c61ef2f2692d1a083e3bb040f95e6
hash91ca78231bcacab0d5e6194041817b96252e65bf
domainsupportteam.lingrevelat[.]com
domainupportteam.lingrevelat[.]com
domainnews.wooordhunts[.]com
ip137.220.176[.]165
domaininstructor.giize[.]com
ip198.13.56[.]122
domainhelpdesk[.]autodefragapp[.]com
ip99[.]83[.]154[.]118
domainolmajhnservice[.]com
urlhxxp[:]//olmajhnservice[.]/nxl/nx
pathC:\$Utf
pathC:\ProgramData\Cannon\Cannondriver.exe
pathC:\ProgramData\Cannon\LBTServ.dll
pathC:\ProgramData\Cannon\Microsoft.BT
hash719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3
hashcdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe
filenamedcnx18pwh.wmf
hash028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8
ip45.77.19[.]75
port110
ip192.46.213[.]63
ip134.122.129[.]102
filenameRdxFactory.exe
bytes
XOR key B2 A6 6D FF
  • CVE-2018-0798 is exploited via malicious RTF documents built with the Royal Road (8.t) builder, which embeds OLE objects with class name 'Equation 3.0' containing shellcode as equation formulas executed by Microsoft Equation Editor (EQNEDT32.EXE).
  • Royal Road RTF samples exploiting CVE-2018-0798 drop a WMF-named file (e.g., dcnx18pwh.wmf) XOR-encoded with key B2 A6 6D FF; detection of this XOR pattern in dropped WMF files is a strong indicator of Royal Road exploitation.
  • Malicious Excel spreadsheets exploiting CVE-2018-0798 create scheduled tasks named 'Rdx' and 'RdxFac' running every five minutes, and create a folder 'RdxFact' in the Windows tasks folder; monitor for these scheduled task names as indicators of compromise.
  • Shellcode from CVE-2018-0798 exploitation creates the folder C:\$Utf to stage downloaded payloads; presence of this folder is a host-based indicator of exploitation.
  • The LOWZERO backdoor dropped after CVE-2018-0798 exploitation communicates with its C2 over TCP port 110 (typically POP3), which is anomalous for most endpoints and should be monitored for outbound connections to non-mail servers.
  • Chinoxy backdoor variants use a base64-encoded C2 server stored in an external configuration file named 'k1.ini'; presence of this file alongside a malicious LBTServ.dll is a strong indicator of Chinoxy infection.
  • ·CVE-2018-0798 is exploited via the Microsoft Equation Editor (EQNEDT32.EXE) component present in Microsoft Office 2007, 2010, 2013, and 2016; organizations that have applied the January 9, 2018 patch or disabled/removed Equation Editor are not vulnerable.
  • ·The Royal Road builder is shared across multiple distinct Chinese APT groups (including Tonto Team, TA413, Bitter, Mustang Panda, Scarab, and others); IOCs derived from Royal Road documents alone are insufficient for precise actor attribution.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.