Cobalt-based malware is spreading by exploiting a 17-year-old vulnerability.
FortiGuard Labs’ Kadena Threat Intelligence System (KTIS) has uncovered a spam campaign that uses a remote code execution document vulnerability, CVE-2017-11882, that although known about for the better part of two decades, was only disclosed and patched by Microsoft in November.
“Not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike,” FortiGuard said, in an analysis of the campaign. “Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.”
The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. The attachments include password-protected archives—typically this tactic is used to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. This gambit is different.
“This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open,” FortiGuard said. “So, it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.”
The PowerShell script payload contains anti-detection beacons, and allows threat actors to control the victim’s system and initiate lateral movement procedures in the network by executing a wide array of commands.
“It is also notable that in this case these cyber-criminals were able to load Cobalt Strike’s module without the need to write it as a physical file,” added the firm. “Instead, they are using trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.”