![]() ![]() Since this vulnerability has already been patched by Microsoft, it is crucial for everyone to update their systems. = FortiGuard Lion Team =- FortiGuard Lab Protections Instead, they are using trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products. It is also notable that in this case these cybercriminals were able to load Cobalt Strike’s module without the need to write it as a physical file. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This goes both for new and old vulnerabilities, whether they have been published or not. Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This is no surprise since officially, Cobalt Strike is a tool used for penetration testing. This minimizes the risks of AVs detecting the module.įrom there, the threat actors can control the victim’s system and initiate lateral movement procedures in the network by executing a wide array of commands. The appropriate version is executed directly in PowerShell’s memory, which means that the actual decoded DLL is not written in the victim’s disk. The PowerShell script payload contains encoded Cobalt Strike 32-bit and 64-bit client DLLs, or “Beacons” as the developers call them. 4 Encoded and decoded PowerShell script downloader However, due to its flexibility and wide access to system functions, it has also become a favorite tool of malware authors.įig. PowerShell command-line tool is another Microsoft Windows native component that was designed for administrative purposes. This is saved in the victim’s system as %APPDATA%\.ps1, and is executed to load the Cobalt Strike client directly to memory. This is executed by using Microsoft HTML Application Host (mshta.exe), a Microsoft Windows tool used to execute HTML applications.Īn obfuscated PowerShell script from the JavaScript is then executed, which downloads another PowerShell script from http//104.254.99.77 /out.ps1. Upon the triggering of the exploit, an obfuscated JavaScript is downloaded from http//104.254.99.77/x.txt. ![]() In this attack, multiple stages of scripts being downloaded and executed are used to get to the main malware payload. 2 Attached exploit document CVE-2017-11882 Exploit Leads to a Cobalt Strike Beacon However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim’s system.įig. Once the document is opened, the user is presented with a plain document. 1 Fake Visa notification email in russian So it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.įig. This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open. This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. Spam mails containing password-protected archives, which usually also contain the malicious file, has become very common. For some reason, this archive also contains the said document. The attachments include a malicious RTF document with the filename “ Изменения в системе безопасности.doc Visa payWave.doc” and an archive (same filename) protected by a password that is included in the email’s body. The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. Fake Visa Notification Targets Russian Speakers Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.Īnd as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike. Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |