Malware campaign exploits Microsoft vulnerability to deploy Cobalt Strike
Cisco Talos researchers have uncovered a social engineering malware campaign that exploits a remote code execution flaw in Microsoft Office to apply a Cobalt Strike beacon on compromised victims.
The vulnerability exploited by the attacker is CVE-2017-0199 which is a remote execution vulnerability in Microsoft Office that could allow an attacker to take control of an affected system.
The entry vector used by the attacker is a phishing email containing a Microsoft attachment with a job offer for positions in the U.S. government and the Public Service Association, a New Zealand-based union.
“The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer explained in a new analysis released Wednesday.
The researchers explained that Cobalt Strike is not the only malware sample used during the attack. They also observed the use of the Redline Stealer and Amadey botnet executables as payloads.
The attack has been described as “highly modularized” and is considered unique for hosting malicious content due to its use of Bitbucket repositories, which serve as the starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.
The Bitbucket repository acts as a channel to deliver obscure VB and PowerShell downloader scripts that install the beacon on another Bitbucket account.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory. Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain,” the researchers said.
The sources for this piece include an article in TheHackerNews.