Scientists at security organization Cisco Talos discovered a destructive marketing campaign in August 2022 that relied on modularized attack approaches to deliver Cobalt Strike beacons and utilized them in follow–on assaults.
The organization published a new advisory about the marketing campaign on Wednesday saying the menace actors guiding it utilized a phishing email impersonating both a federal government firm in the US or a trade union in New Zealand with a destructive Microsoft Word document attachment as their initial attack vectors.
The malicious attachment would then consider to exploit a distant code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Workplace.
“If a victim opens the maldoc, it downloads a malicious Term doc template hosted on an attacker–controlled Bitbucket repository,” Cisco Talos wrote.
Subsequent the original infection, the security company stated it learned two attack methodologies used by the menace actor in this marketing campaign.
The to start with just one saw the downloaded DOTM template executing an embedded malicious Visual Primary (VB) script, which led to the technology and execution of other obfuscated VB and PowerShell scripts.
The 2nd one particular, on the other hand, concerned the malicious VB downloading and operating a Windows executable that executes destructive PowerShell commands to down load and implant the payload.
“The payload found out is a leaked model of a Cobalt Strike beacon,” the Talos advisory reads.
“The beacon configuration consists of instructions to execute specific process injection of arbitrary binaries and has a substantial popularity area configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”
Whilst the major payload uncovered in this marketing campaign is a Cobalt Strike beacon, Talos also claimed the menace actors employed the Redline information–stealer and Amadey botnet executables as payloads.
“This campaign is a standard case in point of a threat actor employing the procedure of creating and executing destructive scripts in the victim’s technique memory,” Talos wrote.
“Defenders really should employ behavioral protection abilities in the organization’s protection to proficiently protect them towards fileless threats.”
On top of that, Talos warned corporations to remain vigilant on the Cobalt Strike beacons and put into practice layered defenses designed to thwart the danger actor’s attempts in the previously phase of the attack’s infection chain.
The advisory will come months immediately after Group–IB disclosed that the Chinese state-of-the-art persistent threat (APT) actor identified as APT41 employed Cobalt Strike to focus on at the very least 13 organizations all over the environment.
Some parts of this article are sourced from:
www.infosecurity-journal.com
Google Maps will help you discover a neighborhood's 'vibe'