Another day and yet another malformed. malicious word doc attachment that is a renamed RTF file delivering Lokibot malware. These criminal gangs are really playing around with RTF files and constantly changing the header control word to try to bypass Anti-Virus & Next Gen protection. Today’s version is using a {\rtv0 header which isn’t of course any approved header, but Microsoft Office Word will open anything that starts with {\rt and just about ignores the rest of the control word. There is some dispute which Equation editor exploit is involved in this campaign. Anyrun says CVE-2017-11882, whereas various detections on … Continue reading →