Attackers Exploit 17-Year-Old Bug to Deliver Malware via Cobalt Strike

Malicious actors are exploiting a 17-year-old vulnerability to infect machines with malware using a component of the Cobalt Strike penetration tool.

An attack under this campaign begins when a user receives a spam email from Visa announcing a change to its payWave service in Russia. The email comes with a password-protected archive that’s named “Изменения в системе безопасности.doc Visa payWave.doc.” Those behind this operation might have protected the archive with a password to lull the user into a false sense of security and thereby trick them into believing that Visa took precautions to protect the contents of the document.

However, the archive is merely a distraction. The main focus of this attack email is a malicious RTF document that, when opened, exploits CVE-2017-11882, a 17-year-old arbitrary code execution vulnerability which Microsoft patched in mid-November 2017. This exploit triggers an obfuscated JavaScript that executes an obfuscated PowerShell script, which then downloads another PowerShell script and executes it to load Cobalt Strike in memory.

Source: Tripwire