MWI Tool Exploits Word Vulnerability, Targets Banking Sector

In May, Proofpoint researchers observed threat actors using a new version of Microsoft Word Intruder (MWI), a tool sold in “deep web” marketplaces and used to create malicious documents, that employs the CVE-2017-0199 vulnerability to launch an HTML Application (HTA) for information collection and payload execution. The malicious document delivers a Metasploit stager, Cobalt Strike, and a newly documented malware, Cyst Downloader. The actors use phishing emails to target personnel in the fraud and information security departments of organizations within the banking industry, including banks, banking software vendors, and ATM software and hardware vendors. The perpetrators are believed to be the “Cobalt Group” – a hacking collective that targets banks in Europe and Asia.The NJCCIC recommends users and administrators review Proofpoint’s report for additional analysis on MWI and ensure all hardware and software is kept up-to-date with the latest security patches.