Posted on October 1, 2022 at 9:02 AM
Researchers deploy Cobalt Strike in phishing campaign targeting job seekers
A new phishing campaign is targeting job seekers in the US and New Zealand. The attack targets these job seekers using malicious documents by installing Cobalt Strike beacons that offer remote access to the victims’ devices.
Phishing campaign targets job seekers in the US and New Zealand
The phishing attack in question is multi-staged and modularized. Most of the steps used by the threat actor rely upon the execution of hidden scripts within the host’s memory. The attack has also been designed to operate without detection by manipulating the Bitbucket code hosting service.
The phishing campaign was detected by researchers based at Cisco Talos. These researchers detected two phishing campaigns that targeted job seekers and resulted in the malicious use of Cobalt Strike.
On the other hand, the threat actors in question also kept copies of Amadey and RedLine stealer at hand within the dropping repository. The intention behind this was so that the deployment of the malware varied depending on the targeted victim.
One thing that was certain to the researchers is that the two attacks started with a malicious email where the recipient was presented with a lucrative job offer. The job offers appear as if the US federal government is offering them. The emails appear to originate from the US Office of Personnel Management (OPM).
In other cases, the threat actors also send a malicious document that appears to originate from the New Zealand Public Service Association (PSA). The PSA is a leading union of federal employees in the country.
The documents also have an exploit for the CVE-2017-0199. This is an execution flaw in Microsoft Office that has been largely exploited. Microsoft fixed this flaw in April 2017, but by the time the bug was patched, it had already been exploited widely.
One of the most recent cases where this bug was exploited was seen in the entry dates for June 2019. At the time, the APT group, an Iranian threat actor, added the bug to its arsenal to deploy attacks.
The exploit conducted through this bug happens after the target opens a document. This results in the Word document template being downloaded. The document in question is hosted with the Bitbucket repository.
The campaign is deployed using PowerShell
The first method of attack used by the threat actors is to execute several Virtual Basic scripts within the downloaded DOTM template. This is done by decoding a data blob, converting it into a HTA file, and loading the next script via ShellExecuted.
The next script will decode the data into a PowerShell script contained within the host’s memory, and it will be executed without involving the disk.
The encrypted PowerShell will later generate another PowerShell downloader script. This script connects to the Bitbucket repository to download a DLL file named “newmodeler.dll” within the compromised machine. It is later sideloaded through “rundll32.exe.”
The in the case noted by the researchers from Talos, DLL has been dubbed as a CobaltStrike. The latter is a penetration testing tool that has been widely abused. Cobalt Strike is also an offensive security suite.
The second attack chain has less sophistication because of using a downloader executable. This executable is fetched from Bitbucket and runs as a process within the victim’s computer, increasing the risk of detection.
The executable later deploys a PowerShell command that downloads the Cobalt Strike DLL to another directory. After this, the command will delete itself to lower the risk of being detected.
The Cobalt Strike beacon will also permit the threat actors to deploy commands remotely on the affected device. It allows the threat actors to infiltrate data and steal it. Moreover, the infection can also spread throughout the compromised network.
In the case of C2, the beacons communicate through an Ubuntu server hosted by Alibaba and based in the Netherlands. The server also contains two SSL certificates that are valid and self-signed.
The researchers from Cisco have also failed to provide any attribution details. The methods used in the attacks are also the same as those used by different perpetrators ranging from espionage attackers to ransomware groups.
Cobalt Strike is one of the most used tools to gain initial access to corporate networks, and they spread laterally within one, and there has been a rise in phishing attacks distributing beacons over the past years.
In 2021, the phishing attacks by Emotet started deploying Cobalt Strike attacks for the first time. Recently, phishing attacks have also been used to target dissidents in Russia and other entities in Ukraine.