Cobalt malware took advantage of 17-year-old MS Office vulnerability

Cobalt targets banks using Microsoft Equation Editor’s vulnerability

Hacking group Cobalt came back and took advantage of the 17-year-old security flaw in Microsoft Office.^[1] The bug exists in Microsoft Equation Editor (EQNEDT32.EXE) which allows using mathematical equations in Office documents. However, after almost two decades, Microsoft released an update to fix the vulnerability.

The security flaw in Microsoft Equation Editor (CVE-2017-11882) allowed attackers exploit code execution in:^[2]

• MS Office 2007 Service Pack 3;
• MS Office 2010 Service Pack 2;
• MS Office 2013 Service Pack 1;
• MS Office 2016.

Even though Microsoft released an update in November’s Patch Tuesday; cyber criminals managed to use this bug for their benefits. They used Cobalt Strike penetration testing tool to launch the attack as soon as the payload is dropped on the system.

Malware is famous for attacking banks and financial institutions. Thus, these organizations are advised to install latest Microsoft updates to prevent the attack.

Recent malspam campaign is aimed at Russian banks

Cobalt malware was noticed actively spreading via malicious spam emails. The campaign targets companies and organizations in Russia by sending malicious RTF files.^[3] Emails were designed to look like notifications sent from Visa.

The message provided information about changed rules for the payWave service. However, the most important part is email attachments. Malicious letter included .doc and .zip files named “Изменения в системе безопасности.doc Visa payWave.”

The corrupted Word document included a text “Enable Editing.” However, victims do not need to take any action. While they stare at the blank document, PowerShell scripts are running in the background and download Cobalt Strike client. Once the download is finished, crooks got access to the affected system.

Cobalt hacking group is known since 2016

Hackers standing behind Cobalt group caught security researchers’ attention last year when they launched several attacks to ATMs in at least 14 countries, including Malaysia, United Kingdom, Netherlands, and Russia.^[4]

In summer 2016, hackers also launched phishing campaign that targeted bank employees. European Central Bank, ATM maker Wincor Nixdorf, and other European banks suffered from the attack.^[5]

Cyber criminals are exploiting Microsoft products’ vulnerabilities and use Cobalt Strike penetration testing tool, which gave the name of the hackers’ team. Crooks use social engineering and apply well-crafted social engineering strategies to trick bank and financial institution workers’ to open an infected email attachment.

Even though after several attacks in Europe, banks started paying more attention to cyber security and employees education, criminals were improving as well. In order to create convincing emails, they managed to get access to companies’ servers and databases to make letters look like sent from trusted partners. For this reason, it’s easy to get tricked by a phishing email.