- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads
Researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.
The company published a new advisory about the campaign on Wednesday saying the threat actors behind it used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious Microsoft Word document attachment as their initial attack vectors.
The malicious attachment would then try to exploit a remote code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Office.
“If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker–controlled Bitbucket repository,” Cisco Talos wrote.
Following the initial infection, the security company said it discovered two attack methodologies employed by the threat actor in this campaign.
The first one saw the downloaded DOTM template executing an embedded malicious Visual Basic (VB) script, which led to the generation and execution of other obfuscated VB and PowerShell scripts.
The second one, on the other hand, involved the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.
“The payload discovered is a leaked version of a Cobalt Strike beacon,” the Talos advisory reads.
“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”
While the main payload discovered in this campaign is a Cobalt Strike beacon, Talos also said the threat actors used the Redline information–stealer and Amadey botnet executables as payloads.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” Talos wrote.
“Defenders should implement behavioral protection capabilities in the organization’s defense to effectively protect them against fileless threats.”
Additionally, Talos warned organizations to remain vigilant on the Cobalt Strike beacons and implement layered defenses designed to thwart the threat actor’s attempts in the earlier stage of the attack’s infection chain.
The advisory comes weeks after Group–IB revealed that the Chinese advanced persistent threat (APT) actor known as APT41 used Cobalt Strike to target at least 13 organizations around the world.