Posted on November 30, 2017 at 5:43 AM
A new backdoor vulnerability in Microsoft Word has recently become exploited to infect devices with a new malware.
New evidence has come to light which confirmed that attackers have been exploiting a Microsoft Office flaw in order to affect unsuspecting users’ devices with a severely damaging malware. Once injected, the malware can effectively hijack the device’s control, which would allow the attacker to steal data, run malicious code, and conduct several other harmful cybercrimes.
The identified malware, called Cobalt, enjoys some notoriety in the cybersecurity industry as its lethal mix of malicious code has become a widely used testing tool for security researchers. Since its emergence, Red Team Operations and Adversary Simulations harnessed the malware and created Cobalt Strike.
However, what makes this latest campaign particularly alarming is that the campaign has been active for a period of 17 years. Despite its notably long running time, the attack has only been discovered earlier this month. Since its discovery, Microsoft has released a patch to address the vulnerability.
The flaw, known as CVE-2017-11882, pertains to a remote code running flaw which is available in Microsoft Office programmes. The vulnerability can be attributed to the manner in which Microsoft Office has been designed to process certain things in its memory.
Hackers have been exploiting this vulnerability to execute arbitrary and unauthorized code. The code will eventually allow the attacker to hijack the entire device.
The flaw was confirmed a few weeks ago, however, since that time several hacking groups have emerged to exploit the disclosed flaw before Microsoft updates its software.
One campaign in particular targeted Russian speaking users. Users were sent a fraudulent email which pretended to originate from VISA and claimed to update the user on its payWave policy changes.
The fraudulent email contained an RTF document as an attachment which was protected by a password, ostensibly to mislead users into thinking the email is legitimate. However, researchers found that by implementing password protection, the email successfully slipped by most major malware detection software.
The user is provided with the password, and once opened, the document is entirely blank except for two words: “Enable Editing. This document, however, allowed hackers to execute a PowerShell code to infect the user’s device with Cobalt Strike, which hijacks the user’s system.
After installation, the hacker would enjoy full access to the device, and can easily execute code and commands remotely.
Microsoft users have been instructed to download the patch made available by Microsoft in order to prevent their devices from becoming affected.