Headline
New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. “The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.
“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday.
“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”
The malicious activity, discovered in August 2022, attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system.
The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.
Cobalt Strike beacons are far from the only malware samples deployed, for Cisco Talos said it has also observed the usage of the Redline Stealer and Amadey botnet executables as payloads at the other end of the attack chain.
Calling the attack methodology “highly modularized,” the cybersecurity company said the attack also stands out for its use of Bitbucket repositories to host malicious content that serves as a starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.
In an alternative attack sequence, the Bitbucket repository functions as a conduit to deliver obfuscated VB and PowerShell downloader scripts to install the beacon hosted on a different Bitbucket account.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.
“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.