Malspam activity was noted on September 19th 2017 delivering a Cobalt Strike payload. The malicious RTF document leverages the newly disclosed CVE-2017-8759 . Microsoft already released a patch to address the vulnerability in the affected products . RSA FirstWatch blogged last week about it . However, we noticed a different network behavior that was worth sharing with the community.
The malicious document is spreading as 'resume.rtf'. Upon opening the document in Microsoft Word, the infected system communicated with an external server over FTP to retrieve a file (readme.txt):
RSA NetWitness Packets shows the file transfer taking place in a separate session (service=0):
Due to the vulnerability, an HTTP request was made to the same server to get 'favicon.ico' which is actually an HTA script:
Following the execution of the downloaded script, an SSL session was established to download an executable:
RSA NetWitness Packets indicates that the SSL session uses a self-signed certificate. In fact most of the fields were left blank and that's why you don't see values for SSL CA and an SSL subject in the screenshot below:
The final payload is a DLL; looks to be a hacking tool and a part of the offensive framework Cobalt Strike. You can find its VirusTotal scan results here.
RTF document (SHA256):
Final payload (SHA256):