Book a Demo
Back to blog

Detect Malware Associated with the Most Exploited CVEs

Written by
Intezer
Intezer

Unpatched or undetected software vulnerabilities are a common method for malware delivery once exploited by attackers.

Last month, the US-CERT urged IT security professionals to patch the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors from 2016 to 2019. The alert advised that a concerted effort among the public and private sectors to patch their systems and implement programs to keep system patching up to date could diminish some foreign cyber threats to U.S. interests.

Below are some of the malware families commonly associated with these CVEs, delivered by attackers following a successful exploitation:

CVE-2017-11882
Loki, FormBook, Pony/FAREIT

CVE-2017-0199
LATENTBOT, Dridex

CVE-2012-0158
Dridex

CVE-2018-4878
DOGCALL aka RokRAT

CVE-2017-8759
FINSPY, FinFisher

CVE-2015-1641
Carbanak

According to the IBM X-Force Threat Intelligence Index 2020, CVE-2017-11882, a vulnerability in Microsoft Office’s Microsoft Equation Editor, and CVE-2017-0199, a vulnerability in Microsoft Word, are the most common vulnerabilities leveraged by attackers.

Top vulnerabilities leveraged in malspam

They were used in nearly 90 percent of malspam messages despite being well-publicized and dated. These findings highlight how delays in patching allow cybercriminals to continue to use old vulnerabilities and still see some success in their attacks.”

In addition to patching, we recommend security personnel use our Endpoint Analysis scanner to detect any post exploitation malware payloads on their machines.

Here is an example of an endpoint infected with Loki malware:

The endpoint scanner provides visibility over the code executing on your machine. This is applicable if you are using unpatched vulnerable software or would like to ensure your machine is clean from any payload delivered by a zero-day exploit. A zero-day is a vulnerability in a software which is unknown to the public and hasn’t been reported to the company responsible for providing a patch for this vulnerability.

DarkHotel is an APT group known for delivering malware via zero-day exploits. In its latest attack documented by researchers at Qihoo 360, DarkHotel exploited a zero-day in Sangfor VPN which provides remote access to the network used by Chinese government agencies and their employees. The vulnerability, which was placed in the update mechanism, allowed the attackers to install a backdoor trojan onto the victims’ endpoints.

Scanning the memory of your endpoints periodically will allow you to detect in-memory threats that have been executed due to a successful vulnerability exploitation.

Intezer Analyze community users can scan one endpoint per day. Get the endpoint scanner

Intezer
Intezer

Count on Intezer Forensic AI SOC to triage, investigate and respond to every alert at unmatched speed and accuracy.

In this article

Share this article
Recommended Blogs
5MIN READ

AI SOC for teams outgrowing MDR

For teams that have outgrown their MDR, the answer isn’t a better MDR. It’s a different operating model.
3MIN READ

Intezer’s 2025 momentum reflects rapid adoption of AI SOC in global enterprise 

Enterprises are adopting AI SOC as the new model for running security operations. This shift is reflected clearly in Intezer’s momentum over the past year.
8MIN READ

Alert fatigue is costing you: Why your SOC misses 1% of real threats

Our 2026 AI SOC Report, based on the analysis of more than 25M security alerts across live enterprise environments, reveals a critical disconnect between how security teams prioritize alerts and where real threats actually originate.