"Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads"

Security researchers at Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.  The researchers stated that the threat actors behind the campaign used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious Microsoft Word document attachment as their initial attack vectors.  The malicious attachment would then try to exploit a remote code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Office.  The researchers noted that if a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.  Following the initial infection, the researchers said they discovered two attack methodologies employed by the threat actor in this campaign.  The first one saw the downloaded DOTM template executing an embedded malicious Visual Basic (VB) script, which led to the generation and execution of other obfuscated VB and PowerShell scripts.  The second one, on the other hand, involved the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.  The researchers noted that the payload discovered is a leaked version of a Cobalt Strike beacon.  The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.  The researchers noted that while the main payload discovered in this campaign is a Cobalt Strike beacon, the threat actors also used the Redline information–stealer and Amadey botnet executables as payloads.

Infosecurity reports: "Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads"