Cobalt malware was documented exploiting the 17-year-old CVE-2017-11882 vulnerability via spam just a few days after researchers noted a similar spam campaign exploiting an RTF documents.
Microsoft only recently patched the memory corruption vulnerability that exists in the Office software when the program fails to properly handle objects in memory. The flaw could allow an attacker to run arbitrary code.
Shortly after the vulnerability was announced threat actors weaponised the flaw to deliver a malware using a component from a Cobalt Strike penetration testing tool, according to a Nov. 27 Fortinet blogpost. The malware is spread via a spam campaign posing as a notification from Visa about rule changes in its payWave service in Russia and is contained in a malicious RTF document attachment.
“Once the document is opened, the user is presented with a plain document,” researchers said in the post. “However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim's system.”
The cyber-criminals behind the attack were able to load Cobalt Strike's module without the need to write it as a physical file but instead by using the trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional anti-virus products.
Users are urged to update their systems as soon as possible to avoid infection.