Connect with us

Hi, what are you looking for?



Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office

The notorious Cobalt hacking group has started to exploit a 17-year-old vulnerability in Microsoft Office that was addressed earlier this month, security researchers claim.

The notorious Cobalt hacking group has started to exploit a 17-year-old vulnerability in Microsoft Office that was addressed earlier this month, security researchers claim.

Fixed in Microsoft’s November 2017 Patch Tuesday security updates and found by Embedi security researchers in the Microsoft Equation Editor (EQNEDT32.EXE), the bug is identified as CVE-2017-11882.

The issue was found in a component that remained unchanged in Microsoft’s Office suite since November 9, 2000, and appears to have been patched manually instead of being corrected directly in the source code, an analysis 0patch published last week reveals.

An Office component designed to facilitate the creation of math and science equations, the Equation Editor was replaced in Office 2007 with new methods of displaying and editing equations. However, the old tool continues to be part of the popular Office suite to ensure compatibility with older documents.

The newly addressed vulnerability has recently started being exploited by the Cobalt hackers in live attacks, ReversingLabs, which managed to capture a RTF document specifically designed to exploit CVE-2017-11882, says.

The malicious file was observed contacting a remote server to grab a first-stage payload it would execute using MSHTA.exe. The executed code would then connect to the remote server to fetch a second-stage payload, a script that would drop an embedded, final payload.

This appears to be the Cobalt Strike backdoor, the group’s preferred malicious tool. The malware allows the attackers to execute remote commands on the infected systems.

Advertisement. Scroll to continue reading.

Considering that unpatched EQNEDT32.EXE instances put Office users at risk, regardless of the Windows version their systems run. The 17 year-old bug was found to impact even machines running Windows 10 Creators Update, which explains why hackers are already exploiting the vulnerability.

What’s more, proof-of-concept exploits for the vulnerability were published soon after the vulnerability became public, so there’s no surprise in the fact that Cobalt has already started targeting the bug, especially since the hacking group is known to be a fast adopter of newly discovered exploits.

A financially-motivated group, Cobalt was first described in 2016 and is known to be targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The hackers use phishing emails carrying malicious documents or ZIP archives packing executables to distribute their malware.

Earlier this year, the group started abusing CVE-2017-0199, a vulnerability patched in April, expanded its operations to North America, and started using supply chain attacks. The group was initially focused only on Eastern Europe and Central and Southeast Asia, but is now hitting targets worldwide.

A report published last week revealed that the group started targeting banks themselves, instead of bank customers. The attacks were attempting to exploit CVE-2017-8759, a code injection/remote code execution vulnerability in Microsoft’s .NET Framework that was patched in September 2016.

Related: Cobalt Hackers Now Targeting Banks Directly

Related: Microsoft Patches 17 Year-Old Vulnerability in Office

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.