HomeWinBuzzer NewsOld Microsoft Office Bug Leveraged to Deploy Cobalt Strike in Ukraine

Old Microsoft Office Bug Leveraged to Deploy Cobalt Strike in Ukraine

Hackers targeted Ukrainian military with a PowerPoint file disguised as a US Army manual to steal data using a known Microsoft Office vulnerability.


Security experts at Deep Instinct Threat Lab have unveiled a cyber espionage campaign aimed at Ukrainian military personnel. The attackers have leveraged a Office vulnerability, CVE-2017-8570, which has been known for nearly seven years, to deploy the post-exploitation tool Cobalt Strike. This discovery was made after a malicious PPSX file was uploaded from to Spanish anti-virus scanning platform VirusTotal at the end of 2023, indicating a sophisticated effort to compromise military-related targets.

Technical Breakdown of the Attack

The initial phase of the attack involved a PowerPoint Slideshow file, masquerading as a US Army manual for tank mine clearing blades, which contained a remote link to an external OLE object. The use of the “script:” prefix in the file pointed to the exploitation of CVE-2017-8570, a method to bypass another vulnerability, CVE-2017-0199. The remote script, hosted on a domain protected by CloudFlare, led to a Russian VPS provider, further complicating the attack's traceability. The second stage involved an HTML file with JavaScript code designed to ensure persistence, decode, and save the embedded payload as a seemingly innocuous Cisco AnyConnect VPN file. This payload, a dynamic-link library, was responsible for injecting Cobalt Strike Beacon into memory, awaiting further instructions from a command and control (C2) server.

Evasion Tactics and Attribution Challenges

The attackers employed a cracked version of Cobalt Strike and implemented various features to evade detection and complicate analysis by experts. Despite the sophisticated nature of the attack, Deep Instinct Threat Lab has not attributed it to any known threat actor. The evidence collected suggests that the sample originated from Ukraine, with the second stage hosted by a Russian VPS provider and the Cobalt beacon C&C registered in Warsaw, Poland. The choice of domain names for the attack, which appeared unrelated to military content, added an additional layer of obfuscation to the attackers' intentions.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News