The case of MS Office is no different. A recently patched 17-year-old remote code execution bug (CVE-2017-11882) is known to have acted as the Nitrous boost for the Cobalt malware which uses the famous tool Cobalt Strike used for penetration testing.
The bug exists in MS Office when the software fails to properly handle the objects in memory. If a user has admin rights, the scope of the attack worsens as an attacker can issue commands and take control of the machine. The list of affected Microsoft products include:
- Office 2016 (32-bit & 64-bit)
- Office 2013 SP1 (32-bit & 64-bit)
- Office 2010 SP2 (32-bit & 64-bit)
- Office 2007 2007 SP3
The security patch was made available to the users earlier this month. According to Fortinet, the actors were quick to take advantage of the vulnerability and tried to fulfill their deeds.
Fortinet has reported the Cobalt malware campaign that targeted Russian speakers with a spam mail, including an RTF document containing the malicious code, notifying about some policy changes in Visa payWave service.
The RTF document was password protected (credentials provided in the mail) to prevent it from being detected. An archive file containing the body of the email was also present in the email.
One thing that looks odd and can be used to spot something fishy is when the document is opened, it runs a PowerShell script and downloads Cobalt Strike tool to gain control of the system.
The security firm notes that the attackers used “trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.” They were able to load the Cobalt module with writing it as a physical file.
Users are recommended to install the security update to reduce the risk of such attack vectors.