Attackers Exploit 17-Year-Old Bug to Deliver Malware via Cobalt Strike

DAVID BISSON em 29/11/2017 no site The State of Security

Malicious actors are exploiting a 17-year-old vulnerability to infect machines with malware using a component of the Cobalt Strike penetration tool.

An attack under this campaign begins when a user receives a spam email from Visa announcing a change to its payWave service in Russia. The email comes with a password-protected archive that’s named “Изменения в системе безопасности.doc Visa payWave.doc.” Those behind this operation might have protected the archive with a password to lull the user into a false sense of security and thereby trick them into believing that Visa took precautions to protect the contents of the document.

Fake Visa notification email in Russian. (Source: Fortinet)

However, the archive is merely a distraction. The main focus of this attack email is a malicious RTF document that, when opened, exploits CVE-2017-11882, a 17-year-old arbitrary code execution vulnerability which Microsoft patched in mid-November 2017. This exploit triggers an obfuscated JavaScript that executes an obfuscated PowerShell script, which then downloads another PowerShell script and executes it to load Cobalt Strike in memory.

From there, the attacker can seize control of the infected system and potentially move laterally in the network.

Encoded and decoded PowerShell script downloader. (Source: Fortinet)

Fortinet security researchers Jasper Manual and Joie Salvio explain this campaign reveals the danger of users not patching their systems of known vulnerabilities on a timely basis:

Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.

To protect against attacks such as these, users should update their systems regularly, and organizations should invest in a vulnerability management solution that can help them detect and prioritize all known bugs.

For information on how Tripwire’s solutions can help strengthen a company’s vulnerability management program, click here.