Seven year old MS office bug still used to send malware
Take action: It may seem shocking that people still use MS office that hasn't been patched for 7+ years. Yet, MS office is expensive, and people tend to ignore updating it since their old version works. Be very mindful of such old versions, they can be easily exploited.
Learn More
Security researchers at Deep Instinct Threat Lab have discovered a cyberattack campaign, exploiting a very old Microsoft Office vulnerability to deploy Cobalt Strike cyberattack framework.
The attack involves a PowerPoint slideshow file (PPSX). The file is an old US Army manual on tank mine clearing and contains a malicious link that triggered the download of a remote script exploiting CVE-2017-8570 (CVSS score 8.7), a known Microsoft Office vulnerability.
The attack process starts with the download of an obfuscated HTML file containing JavaScript. This script, executed on the victim's system using Windows cscript.exe, established persistence on the system and proceeded to download and execute a DLL (Dynamic Link Library). This DLL was masqueraded as a Cisco AnyConnect VPN file but was actually designed to inject the Cobalt Strike Beacon into memory, setting up a backdoor for remote command and control.
The infrastructure used in the attack included a Russian VPS provider hosting the secondary payload, with the Cobalt Strike command and control center being registered in Warsaw, Poland.
The lure (PPSX file) contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (http://weavesilk.com) and a popular photography site (https://petapixel.com)
The sophistication of the attack, including efforts to evade detection and the use of seemingly unrelated domain names as part of the operation, points to a high level of planning and resources behind this campaign.
