Another malware campaign using malformed RTF files involving Microsoft Office Equation Editor exploits to extract or drop a zip file from an embedded ole object containing the payload and an “innocent” lure doc to be displayed. Today it looks like CVE-2017-8570. The payload today is Formbook This campaign is almost identical to the Azorult campaign I detailed a few days ago. With the same Gondi.doc ( with the code for a phishing site in it ) & using saver.scr as the payload file. This is either the same criminal gang involved in both malware campaign or the 2 different criminals … Continue reading →