FortiGuard Labs Threat Research
Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882. Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.
And as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike.
The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. The attachments include a malicious RTF document with the filename “Изменения в системе безопасности.doc Visa payWave.doc” and an archive (same filename) protected by a password that is included in the email’s body. For some reason, this archive also contains the said document.
Spam mails containing password-protected archives, which usually also contain the malicious file, has become very common. This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open. So it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.
Fig. 1 Fake Visa notification email in russian
Once the document is opened, the user is presented with a plain document. However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim’s system.
Fig. 2 Attached exploit document
In this attack, multiple stages of scripts being downloaded and executed are used to get to the main malware payload.
Fig. 4 Encoded and decoded PowerShell script downloader
The PowerShell script payload contains encoded Cobalt Strike 32-bit and 64-bit client DLLs, or “Beacons” as the developers call them. The appropriate version is executed directly in PowerShell’s memory, which means that the actual decoded DLL is not written in the victim’s disk. This minimizes the risks of AVs detecting the module.
Fig. 5 Decoded DLLs
From there, the threat actors can control the victim’s system and initiate lateral movement procedures in the network by executing a wide array of commands. This is no surprise since officially, Cobalt Strike is a tool used for penetration testing. Just not in this case.
Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.
It is also notable that in this case these cybercriminals were able to load Cobalt Strike’s module without the need to write it as a physical file. Instead, they are using trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.
-= FortiGuard Lion Team =-
Since this vulnerability has already been patched by Microsoft, it is crucial for everyone to update their systems. In addition, Fortinet customers are protected by the following:
http[:]//22.214.171.124 - Blocked
c19a9f55dbc010c6ed8b42ebc55f7b5fbaddf79cea7c473ed396ddba5f55e414 (RTF) – MSWord/CVE201711882.FTG!exploit
677426cdd9c6945de3a3858f12fae62914e4d914a24f51475b859f2bcb545095 (PS payload) – W32/Cobalt.FTG!tr.dldr
d8e1403446ac131ac3b62ce10a3ee93e385481968f21658779e084545042840f (64bit beacon) – W64/Cobalt.FTG!tr.bdr
fb97a028760cf5cee976f9ba516891cbe784d89c07a6f110a4552fc7dbfce5f4 (32bit beacon) – W32/Cobalt.FTG!tr.bdr