Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions

June 01, 2017
Matthew Mesa, Axel F, Pierre T, Travis Green


In May, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is a tool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We previously reported about MWI when it added support for CVE-2016-4117 [2]. After the latest update, MWI is now using CVE-2017-0199 [4][5] to launch an HTML Application (HTA) used for both information collection and payload execution.

This activity targets organizations in the financial vertical including banks, banking software vendors, and ATM software and hardware vendors. The emails are sent to technology and security personnel working in departments including Fraud and Information Security.

The actor involved is believed to be the Cobalt group -- an actor known to target banks in Europe and Asia and previously documented by Group IB [1]. The malicious documents created with MWI for use in these activities delivered Metasploit Stager, Cobalt Strike, and previously undocumented malware we named Cyst Downloader.

Email Lures

While we observed numerous malicious attachments, we describe two here and list the rest in the IOC section.

  • In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по информационной безопасности” (Information Security Notice) and contained a Microsoft Word attachment named “сводка1705.doc” (report1705) (Figure 3).
  • Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4) “Требования безопасности.doc” (Safety requirements).

Microsoft Word Intruder Figure 1

Figure 1: Email used to deliver the MWI document (Body translated: “Good day, important to familiarize yourself!”)

Microsoft Word Intruder Figure 2

Figure 2: Email used to deliver the MWI document (Body translated: “Please accept following advice and recommendations regarding necessary safety precautions”)

Microsoft Word Intruder Figure 3

Figure 3: MWI document after the exploit is triggered; the lure displays unreadable characters

Microsoft Word Intruder Figure 4

Figure 4: MWI document after the exploit is triggered; the lure describes the different ways to pay for a delinquent MTS (Russian mobile provider) bill

MWI Advertising Integration of CVE-2017-0199

Before we describe our MWI analysis, it is worth mentioning that on May 8, 2017, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2017-0199, and was recruiting customers for several available seats. The full version of the original Russian advertisement and its English translation follows:

Microsoft Office Word Exploits, universal .doc exploit-pack
имеется несколько мест на CVE-2017-0199 (OLE2LINK)
* билдер
* статистика
* запуск exe/dll (скриплеттов)
* запуск cmd/powershell
* поддержка, обновления, чистки
подробности: [REDACTED_EMAIL]
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like *.doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158


Microsoft Office Word Exploits, universal .doc exploit-pack
There are several spots available for the CVE-2017-0199 (OLE2LINK)
* Builder
* Statistics
* Running exe / dll (scriptlets)
* Starting cmd / powershell
* Support, updates, cleaning
[*] MICROSOFT WORD INTRUDER 8 - the best APT-like * .doc exploit pack
CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158

MWI Analysis

When the document is opened, it drops the embedded payload into a temporary directory as is typical of RTFs with embedded objects[6]. Next, the CVE-2017-0199 exploit downloads and executes the HTA.

From our analysis, the purpose of the HTA is two-fold. It is used to download and/or execute the payload as well as collect information about the infected machine. Thus the advertisement description is accurate. In the example analyzed here, shown in Figure 5, the MWI HTA is configured to run an executable payload embedded in the document, which was previously saved into the temporary directory when the recipient opened the document. Note that the HTA could have alternatively been configured to download and run an executable, DLL, or a JScript/VBscript file. It is also configured to collect and report information about the system, such as installed antivirus applications, running processes, and whether execution of the payload was successful.

Microsoft Word Intruder Figure 5

Figure 5: Configuration section of the MWI HTA

As mentioned above, depending on how MWI is configured, it has different ways of executing the payload. Figure 6 shows the code snippet used for executing EXE and DLL payloads. There is also functionality for executing JScript/VBScript (Figure 7) and cmd/Powershell. All three methods generate a section for the Command and Control (C&C) report letting the operator know if the execution was successful.

Microsoft Word Intruder Figure 6

Figure 6: Portion of the HTA code responsible for running DLLs and Executables

Microsoft Word Intruder Figure 7

Figure 7: Portion of the HTA code responsible for executing VBScript/Jscript

The information collection code is responsible for profiling the system. It collects network details, operating system information, installed antivirus products, and running processes (see list below). This collected information is encoded with base64 and sent it to its C&C server.

  • UserName
  • ComputerName
  • UserDomain
  • OS Version
  • OS SerialNumber
  • WindowsDirectory
  • CodeSet
  • CountryCode
  • OSLanguage
  • CurrentTimeZone
  • Locale
  • DefaultProxy
  • Antivirus displayName
  • Antivirus instanceGuid
  • Antivirus pathToSignedProductExe
  • Antivirus pathToSignedReportingExe
  • Antivirus productState
  • Antivirus Timestamp
  • Running process ProcessId
  • Running process Name
  • Running process ExecutablePath

Microsoft Word Intruder Figure 8

Figure 8: Section of the HTA responsible for collecting information about the system

Microsoft Word Intruder Figure 9

Figure 9: Section of the HTA responsible for sending collected data

Microsoft Word Intruder Figure 10

Figure 10: Function in the HTA used to send collected data

Malware Payload: Metasploit Stager

The payload installed most frequently by MWI was the Metasploit stager, which in turn downloaded Cobalt Strike. The Metasploit stager [7] is used to stage additional malware and we often see it in penetration testing as well as real attacks.

Malware Payload: Cyst Downloader and Plugin

However, in at least in one case we observed an MWI document install a previously unknown malware (SHA256: af17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3). We are calling it the Cyst Downloader. The functionality of this loader is limited. It can create a mutex such as “syst<10 digits>” and communicate with the the C&C server to receive a DLL plugin. The URI path pattern of the C&C beacon contains a folder (random alphanumeric name) followed by a file (random alphanumeric name) with a .jpg, .php, .gif, or .png extension. The downloaded DLL is encrypted with a hardcoded "\x28\xBF\x0A\xBE\x5B\x6E\x70\x03" RC4  key and base64 encoded. The server sends the DLL in HTML comments in a fake 404 response.

Microsoft Word Intruder Figure 11

Figure 11: Cyst Downloader communicating with the C&C and receiving a payload plugin

The DLL plugin is loaded in memory by the loader and does not access the disk. This plugin has the internal name “test.dll”, which may indicate it is still in development. This plugin has only one export named “Execute”, which is hardcoded into the Cyst loader. The plugin enumerates URLs stored in the browser history, with support for Internet Explorer, Chrome, Firefox, and Opera:

  • IE: parse history using the IUrlHistoryStg2::EnumUrls method
  • Chrome: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”
  • Firefox: parse history using a SQL query : “SELECT url, (last_visit_date/1000000) FROM moz_places”
  • Opera: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM urls”

These methods of browser history parsing are well-known and have been used for a long time by malware authors. The visited URLs retrieved are stored in malware memory using this format :

"browser: (IE|Chrome|Firefox|Opera)\r\n” + “url: %s” + " | time: %d\r\n"

Microsoft Word Intruder Figure 12

Figure 12: Example of visited URLs (recovered from browser history) stored in memory

This data is then RC4 encrypted and sent to the same C&C. The attacker is likely parsing the data on the server side and searching for a set of selected domains relevant to their attack, making it an efficient filter for interesting targets.


Microsoft Word Intruder is a powerful tool for creating exploit documents that can be used in a variety of malicious campaigns. In this case, not only was it used to install known malware and customizable scripts and executables, but also installed a previously undocumented malware called Cyst Downloader. While exploit documents are less commonly used in attacks as malicious attachments and hosted files than macro documents, the availability of often unpatched vulnerabilities like CVE-2017-0199 make it attractive to threat actors. We will continue to monitor MWI development and campaigns by Cobalt and other actors using associated exploit documents.


Special thanks to our colleague Andrew Komarov (InfoArmor Inc.) for his help in this study.










Indicators of Compromise (IOCs)


IOC Type




MWI Document



MWI Document



MWI Document



MWI Document




MWI Document












Metasploit Stager



Cobalt Strike Download



Cobalt Strike Download



Cobalt Strike Download



Cobalt Strike



Cobalt Strike C&C



Cobalt Strike C&C



Cyst Downloader



Cyst Downloader C&C



Cyst Plugin (browser history checker)

ET and ETPRO Suricata/Snort Coverage

2024306          ET TROJAN MWI Maldoc Load Payload

2024197          ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )

2024307          ET TROJAN MWI Maldoc Posting Host Data

2814013          ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert

2023629          ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike

2826544          ETPRO TROJAN Cyst Downloader Fake 404