Hackers are exploiting Microsoft Word vulnerability to take control of PCs

Colbalt malware uses legitimate penetration tools to gain access to large swathes of infected systems -- but a patch is available.
Written by Danny Palmer, Senior Writer

Video: Which days of the week are worse for security threats?

Hackers are using a recently disclosed Microsoft Office vulnerability to distribute backdoor malware capable of controlling an infected system, providing attackers with the ability to extract files, execute commands and more.

Cobalt malware has such potent capabilities because it uses a well known and legitimate penetration testing tool, Cobalt Strike -- a form of software for Adversary Simulations and Red Team Operations, which can be used to access covert channels in a system.

What helps the campaign to be even more potent is the use of a Microsoft Word exploit that has been active for 17 years, but was only disclosed and patched earlier this month.

The CVE-2017-11882 exploit is a remote code execution vulnerability, which exists in Microsoft Office software as a result of the way the software handles certain objects in the memory.

Attackers can exploit this flaw to run arbitrary code, which if the user has admin rights, allows the hacker to issue commands or deliver malicious software that can take control of the system.

While the vulnerability was only disclosed weeks ago, researchers at Fortinet have found that attackers have been quick to take advantage of it, in the hope of distributing malware before users have installed the relevant security update.

The particular campaign targets Russian speakers with a spam email claiming to be a notification from Visa about rule changes for the payWave service.

The message contains a password-protected RTF document, which the user is provided with the credentials to unlock. This RTF file contains the malicious code, but the password protection helps to hide it from detection.

Once opened, the user is presented with an almost blank document, save for the words 'Enable Editing'. However, as with many malware campaigns, the strange nature of this document serves as cover for its real intention, which in this case is running a PowerShell script to download Cobalt Strike and take control of the victim's system.

Once installed, the attackers can control the victim's system and move across the network with Cobalt Strike commands.

"Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years," wrote Fortinet researchers Jasper Manual and Joie Salvio

"This may have come from an assumption that there are still a significant number of users out there that don't take software updates seriously, which sadly, is far too often the case," they added.

Microsoft Office users can download the critical update which protects them from the CVE-2017-11882 vulnerability here -- while those who've installed the update are already immune to this particular attack.


The malware effectively gives attackers control of an entire infected system.

Image: iStock

Previous and related coverage

What is phishing?

How to protect yourself from scam emails and more

Ransomware: An executive guide to one of the biggest menaces on the web

Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC's infected.

Microsoft Office vulnerabilities mean no .doc is safe[CNET]

On the same day as a big Windows 10 update, Microsoft is patching an Office flaw that could let hackers take control of your machine.


Editorial standards