Malware campaign exploits Microsoft vulnerability
Cybersecurity News, Malware & Exploits,

Malware campaign exploits Microsoft vulnerability to deploy Cobalt Strike

October 12, 2022
Malware campaign exploit Microsoft flaw

Cisco Talos researchers have uncovered a social engineering malware campaign that exploits a remote code execution flaw in Microsoft Office to apply a Cobalt Strike beacon on compromised victims.

The vulnerability exploited by the attacker is CVE-2017-0199 which is a remote execution vulnerability in Microsoft Office that could allow an attacker to take control of an affected system.

The entry vector used by the attacker is a phishing email containing a Microsoft attachment with a job offer for positions in the U.S. government and the Public Service Association, a New Zealand-based union.

“The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer explained in a new analysis released Wednesday.

The researchers explained that Cobalt Strike is not the only malware sample used during the attack. They also observed the use of the Redline Stealer and Amadey botnet executables as payloads.

The attack has been described as “highly modularized” and is considered unique for hosting malicious content due to its use of Bitbucket repositories, which serve as the starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.

The Bitbucket repository acts as a channel to deliver obscure VB and PowerShell downloader scripts that install the beacon on another Bitbucket account.

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory. Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain,” the researchers said.

The sources for this piece include an article in TheHackerNews.

Summary
Malware campaign exploits Microsoft vulnerability to deploy Cobalt Strike
Article Name
Malware campaign exploits Microsoft vulnerability to deploy Cobalt Strike
Description
Cisco Talos researchers have uncovered a social engineering malware campaign that exploits a remote code execution flaw in Microsoft Office.
Author
Publisher Name
Tuxcare
Publisher Logo

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

Hackers exploit DLL hijacking flaw...

Attackers are using phishing tactics to spread QBot, a Windows...

November 28, 2022

Apple patch iOS and macOS...

Apple has released security updates for iOS, iPadOS, and macOS...

November 25, 2022

Worok, the malware that hides...

Worok malware makes the rounds by deploying multi-level malware designed...

November 24, 2022

IceXLoader malware targets home and...

IceXLoader, an updated version of a malware loader, is suspected...

November 23, 2022

Hackers exploit security flaw in...

A security researcher, David Schütz has received a $70,000 bug...

November 22, 2022

Microsoft patches Windows 0-day...

Microsoft has fixed six actively exploited Windows vulnerabilities and 68...

November 21, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching