A week after details about a severe Microsoft Office vulnerability came to light, at least one criminal group is now using it to infect users.
The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.
According to Reversing Labs, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-value targets that are laced with exploits that take advantage of CVE-2017-11882.
This is a vulnerability in the Office Equation Editor component that allows an attacker to execute code on victims' computers without user interaction.
You don't need a grizzled veteran of the infosec community to tell you that a vulnerability with such results would be incredibly valuable for any cyber-criminal organization.
Besides the damage this vulnerability can do, Cobalt's quick adoption of CVE-2017-11882 was most likely aided by the availability of four proof of concept (PoC) exploits that have been published online in the past week [1, 2, 3, 4].
According to Reversing Labs, the Cobalt is currently sending emails laced with a booby-trapped RTF file that would utilize a CVE-2017-11882 exploit to download and run additional malicious files. The infection chain would go through multiple steps, but in the end, it would download and load a malicious DLL file that has yet to be analyzed in more depth.
Proofpoint Matthew Mesa also saw the same emails, but saw a slightly different exploitation chain.
hxxps://goo[.]gl/1GEcjp— Matthew Mesa (@mesa_matt) November 22, 2017
CVE-2017-11882 -> mshta -> Powershell -> DLL -> Drops msxsl.exe and runs Jscript Backdoor (more_eggs) with it.
Likely Cobalt group/gang.
Similar Jscript payload described here:https://t.co/72Mv7ucvm8@subTee
As for the Cobalt group, they have a history of jumping on Microsoft bugs as soon as they're disclosed and weaponizing them for their campaigns. The same thing happened with CVE-2017-8759, a remote code execution vulnerability that affected the .NET Framework, patched by Microsoft in the September 2017 Patch Tuesday.
Security firms first started documenting the Cobalt group in 2016, when it was spotted hitting ATMs and financial institutions across Europe. The group then spread to targets in the Americas, and later also targeted Russian banks, using the ex-Soviet space as a testing ground for new attacks, before it moved to more wealthy targets elsewhere.
The group's most well-known malware family is Cobalt Strike, named after an eponymous commercial penetration testing software because it uses some of its components.
As we've seen in the past, it doesn't take too long for a vulnerability to trickle down from professional cyber-criminal groups to spam botnet herders once public PoCs are available.
Users should apply Windows updates KB2553204, KB3162047, KB4011276, and KB4011262, included in the November 2017 Patch Tuesday, to guard against CVE-2017-11882 exploitation.