Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability

Only a few days after FortiGuard Labs  published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882. Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.

And as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike.

Fake Visa Notification Targets Russian Speakers

The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. The attachments include a malicious RTF document with the filename “Изменения в системе безопасности.doc Visa payWave.doc” and an archive (same filename) protected by a password that is included in the email’s body. For some reason, this archive also contains the said document.

Spam mails containing password-protected archives, which usually also contain the malicious file, has become very common. This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open. So it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.

Fig. 1 Fake Visa notification email in russian

Once the document is opened, the user is presented with a plain document. However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim’s system.

Fig. 2 Attached exploit document

CVE-2017-11882 Exploit Leads to a Cobalt Strike Beacon

In this attack, multiple stages of scripts being downloaded and executed are used to get to the main malware payload.

Upon the triggering of the exploit, an obfuscated JavaScript is downloaded from http[:]//104.254.99.77/x.txt. This is executed by using Microsoft HTML Application Host (mshta.exe), a Microsoft Windows tool used to execute HTML applications.

Fig. 3 Obfuscated JavaScript downloader

An obfuscated PowerShell script from the JavaScript is then executed, which downloads another PowerShell script from http[:]//104.254.99.77/out.ps1. This is saved in the victim’s system as %APPDATA%{random}.ps1, and is executed to load the Cobalt Strike client directly to memory. PowerShell command-line tool is another Microsoft Windows native component that was designed for administrative purposes. However, due to its flexibility and wide access to system functions, it has also become a favorite tool of malware authors.

Fig. 4 Encoded and decoded PowerShell script downloader

The PowerShell script payload contains encoded Cobalt Strike 32-bit and 64-bit client DLLs, or “Beacons” as the developers call them. The appropriate version is executed directly in PowerShell’s memory, which means that the actual decoded DLL is not written in the victim’s disk. This minimizes the risks of AVs detecting the module.

Fig. 5 Decoded DLLs

From there, the threat actors can control the victim’s system and initiate lateral movement procedures in the network by executing a wide array of commands. This is no surprise since officially, Cobalt Strike is a tool used for penetration testing. Just not in this case.

Conclusion

Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.

It is also notable that in this case these cybercriminals were able to load Cobalt Strike’s module without the need to write it as a physical file. Instead, they are using trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.

-= FortiGuard Lion Team =-

FortiGuard Lab Protections

Since this vulnerability has already been patched by Microsoft, it is crucial for everyone to update their systems. In addition, Fortinet customers are protected by the following:

File signatures:

MSWord/CVE201711882.FTG!exploit

W32/Cobalt.FTG!tr.dldr

W64/Cobalt.FTG!tr.bdr

Blocked sites:

http[:]//104.254.99.77 – Blocked

IOC

c19a9f55dbc010c6ed8b42ebc55f7b5fbaddf79cea7c473ed396ddba5f55e414 (RTF) – MSWord/CVE201711882.FTG!exploit

677426cdd9c6945de3a3858f12fae62914e4d914a24f51475b859f2bcb545095 (PS payload) –  W32/Cobalt.FTG!tr.dldr

d8e1403446ac131ac3b62ce10a3ee93e385481968f21658779e084545042840f (64bit beacon) – W64/Cobalt.FTG!tr.bdr

fb97a028760cf5cee976f9ba516891cbe784d89c07a6f110a4552fc7dbfce5f4 (32bit beacon) – W32/Cobalt.FTG!tr.bdr

Download Sites

http[:]//104.254.99.77

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.