Government, Union-Themed Lures Used to Deliver Cobalt Strike Payloads

  • Researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.

    The company published a new advisory about the campaign on Wednesday saying the threat actors behind it used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious Microsoft Word document attachment as their initial attack vectors.

    The malicious attachment would then try to exploit a remote code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Office.

    “If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker–controlled Bitbucket repository,” Cisco Talos wrote.

    Following the initial infection, the security company said it discovered two attack methodologies employed by the threat actor in this campaign.

    The first one saw the downloaded DOTM template executing an embedded malicious Visual Basic (VB) script, which led to the generation and execution of other obfuscated VB and PowerShell scripts.

    The second one, on the other hand, involved the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

    “The payload discovered is a leaked version of a Cobalt Strike beacon,” the Talos advisory reads.

    “The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”

    While the main payload discovered in this campaign is a Cobalt Strike beacon, Talos also said the threat actors used the Redline information–stealer and Amadey botnet executables as payloads.

    “This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” Talos wrote.

    “Defenders should implement behavioral protection capabilities in the organization’s defense to effectively protect them against fileless threats.”

    Additionally, Talos warned organizations to remain vigilant on the Cobalt Strike beacons and implement layered defenses designed to thwart the threat actor’s attempts in the earlier stage of the attack’s infection chain.

    The advisory comes weeks after Group–IB revealed that the Chinese advanced persistent threat (APT) actor known as APT41 used Cobalt Strike to target at least 13 organizations around the world.