Scientists at security agency Cisco Talos learned a destructive campaign in August 2022 that relied on modularized attack procedures to provide Cobalt Strike beacons and made use of them in follow–on attacks.
The enterprise posted a new advisory about the marketing campaign on Wednesday saying the risk actors behind it utilized a phishing email impersonating both a government group in the US or a trade union in New Zealand with a malicious Microsoft Phrase document attachment as their original attack vectors.
The malicious attachment would then test to exploit a distant code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Workplace.
“If a victim opens the maldoc, it downloads a destructive Word document template hosted on an attacker–controlled Bitbucket repository,” Cisco Talos wrote.
Pursuing the initial infection, the security firm said it found out two attack methodologies utilized by the danger actor in this campaign.
The 1st a single noticed the downloaded DOTM template executing an embedded malicious Visible Essential (VB) script, which led to the technology and execution of other obfuscated VB and PowerShell scripts.
The next 1, on the other hand, concerned the malicious VB downloading and working a Windows executable that executes destructive PowerShell commands to down load and implant the payload.
“The payload uncovered is a leaked model of a Cobalt Strike beacon,” the Talos advisory reads.
“The beacon configuration contains commands to accomplish specific method injection of arbitrary binaries and has a significant status area configured, exhibiting the redirection procedure to masquerade the beacon’s visitors.”
While the most important payload discovered in this marketing campaign is a Cobalt Strike beacon, Talos also explained the menace actors utilised the Redline information–stealer and Amadey botnet executables as payloads.
“This marketing campaign is a typical case in point of a menace actor using the technique of building and executing destructive scripts in the victim’s procedure memory,” Talos wrote.
“Defenders must implement behavioral safety capabilities in the organization’s defense to correctly defend them against fileless threats.”
Additionally, Talos warned organizations to continue to be vigilant on the Cobalt Strike beacons and put into action layered defenses designed to thwart the danger actor’s makes an attempt in the earlier phase of the attack’s an infection chain.
The advisory will come months soon after Group–IB uncovered that the Chinese highly developed persistent danger (APT) actor acknowledged as APT41 made use of Cobalt Strike to concentrate on at the very least 13 organizations all-around the earth.
Some parts of this short article are sourced from: