A Microsoft Office vulnerability which predates since Windows 2000 was used by hackers to spread Cobalt malware on targeted computers.

The name Cobalt was used considering that the malware was designed using a component from a legitimate penetration-testing tool called Cobalt Strike.  Cobalt Strike is threat emulation software.  It can execute targeted attacks against modern enterprises with one of the most powerful network attack kits available to penetration testers.

The vulnerability (CVE-2017-11882) that Cobalt malware utilizes to deliver the backdoor is a memory-corruption issue that permits unauthenticated, remote attackers to execute malicious code on the targeted system upon opening a malicious file and potentially take full administrative control over it.  This vulnerability impacts all versions of Microsoft Office and Windows operating system.  Said malware is distributed using a spam email disguised as a notification from Visa.

The vulnerability resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.

Attackers have already utilized the disclosed vulnerability not long after its disclosure.  Developers should, after discovery of particular vulnerabilities, should patch these immediately before attackers can maliciously utilize the same.  On the other hand, users are advised to apply the patch as soon as possible.  The said patch can be downloaded at https://portal.msrc.microsoft.com/en-US/eula.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *