{ "id": "70711deb-36f8-422c-9e69-6ce37e156d40", "created_at": "2026-04-06T00:13:15.577674Z", "updated_at": "2026-04-10T03:35:12.551219Z", "deleted_at": null, "sha1_hash": "bf16b59823a8a623754fc9cc1f13fd9acb97b768", "title": "Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1596500, "plain_text": "Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by\r\nCobalt Group to Target Financial Institutions | Proofpoint US\r\nBy June 01, 2017 Matthew Mesa, Axel F, Pierre T, Travis Green\r\nPublished: 2017-06-01 · Archived: 2026-04-05 16:07:41 UTC\r\nOverview\r\nIn May, Proofpoint observed multiple campaigns using a new version of Microsoft Word Intruder (MWI). MWI is\r\na tool sold on underground markets for creating exploit-laden documents, generally used in targeted attacks. We\r\npreviously reported about MWI when it added support for CVE-2016-4117 [2]. After the latest update, MWI is\r\nnow using CVE-2017-0199 [4][5] to launch an HTML Application (HTA) used for both information collection\r\nand payload execution.\r\nThis activity targets organizations in the financial vertical including banks, banking software vendors, and ATM\r\nsoftware and hardware vendors. The emails are sent to technology and security personnel working in departments\r\nincluding Fraud and Information Security.\r\nThe actor involved is believed to be the Cobalt group -- an actor known to target banks in Europe and Asia and\r\npreviously documented by Group IB [1]. The malicious documents created with MWI for use in these activities\r\ndelivered Metasploit Stager, Cobalt Strike, and previously undocumented malware we named Cyst Downloader.\r\nEmail Lures\r\nWhile we observed numerous malicious attachments, we describe two here and list the rest in the IOC section.\r\nIn the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject “Памятка по\r\nинформационной безопасности” (Information Security Notice) and contained a Microsoft Word\r\nattachment named “сводка1705.doc” (report1705) (Figure 3).\r\nAnother email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card\r\ncompany with the subject line “Безопасность” (security) and a Microsoft Word attachment (Figure 4)\r\n“Требования безопасности.doc” (Safety requirements).\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 1 of 14\n\nFigure 1: Email used to deliver the MWI document (Body translated: “Good day, important to familiarize\r\nyourself!”)\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 2 of 14\n\nFigure 2: Email used to deliver the MWI document (Body translated: “Please accept following advice and\r\nrecommendations regarding necessary safety precautions”)\r\nFigure 3: MWI document after the exploit is triggered; the lure displays unreadable characters\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 3 of 14\n\nFigure 4: MWI document after the exploit is triggered; the lure describes the different ways to pay for a delinquent\r\nMTS (Russian mobile provider) bill\r\nMWI Advertising Integration of CVE-2017-0199\r\nBefore we describe our MWI analysis, it is worth mentioning that on May 8, 2017, an advertisement for MWI on\r\nan underground site stated that this exploit document builder integrated CVE-2017-0199, and was recruiting\r\ncustomers for several available seats. The full version of the original Russian advertisement and its English\r\ntranslation follows:\r\nMicrosoft Office Word Exploits, universal .doc exploit-pack\r\nимеется несколько мест на CVE-2017-0199 (OLE2LINK)\r\n* билдер\r\n* статистика\r\n* запуск exe/dll (скриплеттов)\r\n* запуск cmd/powershell\r\n* поддержка, обновления, чистки\r\nподробности: [REDACTED_EMAIL]\r\n---\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 4 of 14\n\n[*] MICROSOFT WORD INTRUDER 8 - the best APT-like *.doc exploit pack\r\nCVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158\r\nTranslation:\r\nMicrosoft Office Word Exploits, universal .doc exploit-pack\r\nThere are several spots available for the CVE-2017-0199 (OLE2LINK)\r\n* Builder\r\n* Statistics\r\n* Running exe / dll (scriptlets)\r\n* Starting cmd / powershell\r\n* Support, updates, cleaning\r\nDetails: [REDACTED_EMAIL]\r\n---\r\n[*] MICROSOFT WORD INTRUDER 8 - the best APT-like * .doc exploit pack\r\nCVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158\r\nMWI Analysis\r\nWhen the document is opened, it drops the embedded payload into a temporary directory as is typical of RTFs\r\nwith embedded objects[6]. Next, the CVE-2017-0199 exploit downloads and executes the HTA.\r\nFrom our analysis, the purpose of the HTA is two-fold. It is used to download and/or execute the payload as well\r\nas collect information about the infected machine. Thus the advertisement description is accurate. In the example\r\nanalyzed here, shown in Figure 5, the MWI HTA is configured to run an executable payload embedded in the\r\ndocument, which was previously saved into the temporary directory when the recipient opened the document.\r\nNote that the HTA could have alternatively been configured to download and run an executable, DLL, or a\r\nJScript/VBscript file. It is also configured to collect and report information about the system, such as installed\r\nantivirus applications, running processes, and whether execution of the payload was successful.\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 5 of 14\n\nFigure 5: Configuration section of the MWI HTA\r\nAs mentioned above, depending on how MWI is configured, it has different ways of executing the payload. Figure\r\n6 shows the code snippet used for executing EXE and DLL payloads. There is also functionality for executing\r\nJScript/VBScript (Figure 7) and cmd/Powershell. All three methods generate a section for the Command and\r\nControl (C\u0026C) report letting the operator know if the execution was successful.\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 6 of 14\n\nFigure 6: Portion of the HTA code responsible for running DLLs and Executables\r\nFigure 7: Portion of the HTA code responsible for executing VBScript/Jscript\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 7 of 14\n\nThe information collection code is responsible for profiling the system. It collects network details, operating\r\nsystem information, installed antivirus products, and running processes (see list below). This collected information\r\nis encoded with base64 and sent it to its C\u0026C server.\r\nUserName\r\nComputerName\r\nUserDomain\r\nOS Version\r\nOS SerialNumber\r\nWindowsDirectory\r\nCodeSet\r\nCountryCode\r\nOSLanguage\r\nCurrentTimeZone\r\nLocale\r\nDefaultProxy\r\nAntivirus displayName\r\nAntivirus instanceGuid\r\nAntivirus pathToSignedProductExe\r\nAntivirus pathToSignedReportingExe\r\nAntivirus productState\r\nAntivirus Timestamp\r\nRunning process ProcessId\r\nRunning process Name\r\nRunning process ExecutablePath\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 8 of 14\n\nFigure 8: Section of the HTA responsible for collecting information about the system\r\nFigure 9: Section of the HTA responsible for sending collected data\r\nFigure 10: Function in the HTA used to send collected data\r\nMalware Payload: Metasploit Stager\r\nThe payload installed most frequently by MWI was the Metasploit stager, which in turn downloaded Cobalt\r\nStrike. The Metasploit stager [7] is used to stage additional malware and we often see it in penetration testing as\r\nwell as real attacks.\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 9 of 14\n\nMalware Payload: Cyst Downloader and Plugin\r\nHowever, in at least in one case we observed an MWI document install a previously unknown malware (SHA256:\r\naf17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3). We are calling it the Cyst\r\nDownloader. The functionality of this loader is limited. It can create a mutex such as “syst\u003c10 digits\u003e” and\r\ncommunicate with the the C\u0026C server to receive a DLL plugin. The URI path pattern of the C\u0026C beacon contains\r\na folder (random alphanumeric name) followed by a file (random alphanumeric name) with a .jpg, .php, .gif, or\r\n.png extension. The downloaded DLL is encrypted with a hardcoded \"\\x28\\xBF\\x0A\\xBE\\x5B\\x6E\\x70\\x03\"\r\nRC4  key and base64 encoded. The server sends the DLL in HTML comments in a fake 404 response.\r\nFigure 11: Cyst Downloader communicating with the C\u0026C and receiving a payload plugin\r\nThe DLL plugin is loaded in memory by the loader and does not access the disk. This plugin has the internal name\r\n“test.dll”, which may indicate it is still in development. This plugin has only one export named “Execute”, which\r\nis hardcoded into the Cyst loader. The plugin enumerates URLs stored in the browser history, with support for\r\nInternet Explorer, Chrome, Firefox, and Opera:\r\nIE: parse history using the IUrlHistoryStg2::EnumUrls method\r\nChrome: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM\r\nurls”\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 10 of 14\n\nFirefox: parse history using a SQL query : “SELECT url, (last_visit_date/1000000) FROM moz_places”\r\nOpera: parse history using a SQL query : “SELECT url, (last_visit_time/1000000-11644473600) FROM\r\nurls”\r\nThese methods of browser history parsing are well-known and have been used for a long time by malware authors.\r\nThe visited URLs retrieved are stored in malware memory using this format :\r\n\"browser: (IE|Chrome|Firefox|Opera)\\r\\n” + “url: %s” + \" | time: %d\\r\\n\"\r\nFigure 12: Example of visited URLs (recovered from browser history) stored in memory\r\nThis data is then RC4 encrypted and sent to the same C\u0026C. The attacker is likely parsing the data on the server\r\nside and searching for a set of selected domains relevant to their attack, making it an efficient filter for interesting\r\ntargets.\r\nConclusion\r\nMicrosoft Word Intruder is a powerful tool for creating exploit documents that can be used in a variety of\r\nmalicious campaigns. In this case, not only was it used to install known malware and customizable scripts and\r\nexecutables, but also installed a previously undocumented malware called Cyst Downloader. While exploit\r\ndocuments are less commonly used in attacks as malicious attachments and hosted files than macro documents,\r\nthe availability of often unpatched vulnerabilities like CVE-2017-0199 make it attractive to threat actors. We will\r\ncontinue to monitor MWI development and campaigns by Cobalt and other actors using associated exploit\r\ndocuments.\r\nAcknowledgements\r\nSpecial thanks to our colleague Andrew Komarov (InfoArmor Inc.) for his help in this study.\r\nReferences\r\n[1] http://www.group-ib.com/cobalt.html\r\n[2] https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-vulnerability\r\n[3] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 11 of 14\n\n[4] https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts\r\n[5] https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day\r\n[6] https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\n[7] https://blog.cobaltstrike.com/2013/06/28/staged-payloads-what-pen-testers-should-know/\r\n[8] https://www.scmagazine.com/fincert-to-help-russian-banks-respond-to-cyber-attacks/article/535448/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\ne559c65b51a874b9ebf4faacd830223428e507a865788c2f32a820b952ccf0b4 SHA256 MWI Document\r\n2a918030be965cd5f365eb28cd5a0bebec32d05c6a27333ade3beaf3c54d242c SHA256 MWI Document\r\ne0f6073aee370d5e1e29da20208ffa10e1b30f4cf7860bb1a9dde67a83dee332 SHA256 MWI Document\r\n61afc2bf91283ccc478406a4c1277a0c8549584716d8b3a89d36f9bcdc45c4fe SHA256 MWI Document\r\naf17a3b5bf4c78283b2ee338ac6d457b9f3e7b7187c7e9d8651452b78574b3d3 SHA256 MWI Document\r\n326a01a5e2eeeeebe3dade94cf0f7298f259b72e93bd1739505e14df3e7ac21e SHA256 MWI HTA\r\nhxxp://37.1.207[.]202/wstat/ URL MWI C\u0026C\r\nhxxp://5.45.66[.]161/wstat/ URL MWI C\u0026C\r\n39ac90410bd78f541eb42b1108d2264c7bd7a5feafe102cd7ac8f517c1bd3754 SHA256\r\nMetasploit\r\nStager\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 12 of 14\n\nhxxps://176.9.99[.]134/MAUy URL\r\nCobalt Strike\r\nDownload\r\nhxxps://176.9.99[.]134/kQ6j URL\r\nCobalt Strike\r\nDownload\r\nhxxps://52.15.209[.]133/Els8 URL\r\nCobalt Strike\r\nDownload\r\n138d3f20da09e9f5aa5a367b8ff89d349fe20a63682df2379a7a6f78f31eb53d SHA256 Cobalt Strike\r\n176.9.99[.]134 IP\r\nCobalt Strike\r\nC\u0026C\r\n52.15.209[.]133 IP\r\nCobalt Strike\r\nC\u0026C\r\n922e3bccd3eb151ee46afb203f9618ae007b99a758ca95caf5324d650a496426 SHA256\r\nCyst\r\nDownloader\r\n96.44.188[.]57 IP\r\nCyst\r\nDownloader\r\nC\u0026C\r\n24973014fa8174ffff190ae7967a65307a23d42386683dc672babd9c6cf1e5ee SHA256\r\nCyst Plugin\r\n(browser history\r\nchecker)\r\nET and ETPRO Suricata/Snort Coverage\r\n2024306          ET TROJAN MWI Maldoc Load Payload\r\n2024197          ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )\r\n2024307          ET TROJAN MWI Maldoc Posting Host Data\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 13 of 14\n\n2814013          ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert\r\n2023629          ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\n2826544          ETPRO TROJAN Cyst Downloader Fake 404\r\nSource: https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nhttps://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target\r\nPage 14 of 14\n\n https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target \nFigure 6: Portion of the HTA code responsible for running DLLs and Executables\nFigure 7: Portion of the HTA code responsible for executing VBScript/Jscript\n Page 7 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY", "MITRE" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target" ], "report_names": [ "microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434395, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf16b59823a8a623754fc9cc1f13fd9acb97b768.pdf", "text": "https://archive.orkl.eu/bf16b59823a8a623754fc9cc1f13fd9acb97b768.txt", "img": "https://archive.orkl.eu/bf16b59823a8a623754fc9cc1f13fd9acb97b768.jpg" } }