The notorious Cobalt hacking group has started to exploit a 17-year-old vulnerability in Microsoft Office that was addressed earlier this month, security researchers claim.
Fixed in Microsoft’s November 2017 Patch Tuesday security updates and found by Embedi security researchers in the Microsoft Equation Editor (EQNEDT32.EXE), the bug is identified as CVE-2017-11882.
The issue was found in a component that remained unchanged in Microsoft’s Office suite since November 9, 2000, and appears to have been patched manually instead of being corrected directly in the source code, an analysis 0patch published last week reveals.
An Office component designed to facilitate the creation of math and science equations, the Equation Editor was replaced in Office 2007 with new methods of displaying and editing equations. However, the old tool continues to be part of the popular Office suite to ensure compatibility with older documents.
The newly addressed vulnerability has recently started being exploited by the Cobalt hackers in live attacks, ReversingLabs, which managed to capture a RTF document specifically designed to exploit CVE-2017-11882, says.
The malicious file was observed contacting a remote server to grab a first-stage payload it would execute using MSHTA.exe. The executed code would then connect to the remote server to fetch a second-stage payload, a script that would drop an embedded, final payload.
This appears to be the Cobalt Strike backdoor, the group’s preferred malicious tool. The malware allows the attackers to execute remote commands on the infected systems.
Considering that unpatched EQNEDT32.EXE instances put Office users at risk, regardless of the Windows version their systems run. The 17 year-old bug was found to impact even machines running Windows 10 Creators Update, which explains why hackers are already exploiting the vulnerability.
What’s more, proof-of-concept exploits for the vulnerability were published soon after the vulnerability became public, so there’s no surprise in the fact that Cobalt has already started targeting the bug, especially since the hacking group is known to be a fast adopter of newly discovered exploits.
A financially-motivated group, Cobalt was first described in 2016 and is known to be targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The hackers use phishing emails carrying malicious documents or ZIP archives packing executables to distribute their malware.
Earlier this year, the group started abusing CVE-2017-0199, a vulnerability patched in April, expanded its operations to North America, and started using supply chain attacks. The group was initially focused only on Eastern Europe and Central and Southeast Asia, but is now hitting targets worldwide.
A report published last week revealed that the group started targeting banks themselves, instead of bank customers. The attacks were attempting to exploit CVE-2017-8759, a code injection/remote code execution vulnerability in Microsoft’s .NET Framework that was patched in September 2016.
Related: Cobalt Hackers Now Targeting Banks Directly
Related: Microsoft Patches 17 Year-Old Vulnerability in Office

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
