A spam email campaign has been discovered that is distributing a variety of Cobalt malware. The hackers use the Cobalt Strike penetration testing tool to take full management of an infected device. The attack uses an exploit for a recently patched Microsoft Office flaw.
The spam emails seem to have been sent by Visa, advising the recipient about recent changes to its payWave service. The emails include a compressed file attachment that is password-secured. The password required to extract the contents of the zip file is included in the body of the email.
This is an apparent attempt to trick email recipients into thinking Visa had included security controls to stop unauthorized individuals from viewing the information in the email – a reasonable security measure for a financial communication. Also included in the email is a RTF file that is not password secured. Opening that file will initiate a PowerShell script that will install a Cobalt Strike client that will ultimately give the hackers full control of the infected device.
The hackers leverage a flaw in Microsoft Office – CVE-2017-11882 – which was patched by Microsoft earlier this month. The hackers use legitimate Windows tools to execute a wide range of commands and spread laterally through a network.
The campaign was discovered by researchers at Fortinet, who report that by exploiting the Office flaw, the hackers download a Cobalt Strike client and multiple stages of scripts which are then used to install the main malware payload.
The vulnerability has existed in Office products for 17 years, although it was only recently discovered Microsoft. Within a few days of the weakness being detected, Microsoft issued a patch to correct the flaw. Within a few days of the patch being released, threat actors started attacking the vulnerability. Any device that has a vulnerable version of Office installed is susceptible to attack.
This campaign shows just how important it is for patches to be applied quickly. As soon as a vulnerability is made public, malicious actors will use the vulnerability in attacks. When patches are made public, malicious actors get straight to work and reverse engineer the patch, allowing them to identify and exploit flaws. As these attacks indicate, it may only take a few hours or days before vulnerabilities are attacked.
The recent WannaCry and NotPetya malware attacks indicated just how easy it is for vulnerable systems to be attacked. Both of those attacks targeted a vulnerability in Windows Server Message Block to obtain access to systems. A patch had been issued to address the flaw eight weeks before the WannaCry ransomware attacks happened. Had patches been applied swiftly, it would not have been possible to download the ransomware.