Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 23 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Malicious Campaign Uses Government, Union-Themed Lures to Deliver Cobalt Strike Payloads

Earlier this week, researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.

by Guru Writer
October 4, 2022
in Cyber Bites
Malicious Campaign Uses Government, Union-Themed Lures to Deliver Cobalt Strike Payloads
Share on FacebookShare on Twitter

Earlier this week, researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.

It was reported that the company published a new advisory about the campaign on Wednesday saying the threat actors behind it used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious attachment as their initial attack vectors.

The malicious Microsoft Word document attachment would then try to exploit a remote code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Office.

“If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker–controlled Bitbucket repository,” Cisco Talos wrote.

In the aftermath of the initial infection, the security company said it discovered two attack methodologies employed by the threat actor in this campaign.

The first method saw the downloaded DOTM template executing an embedded malicious Visual Basic (VB) script, which led to the generation and execution of other obfuscated VB and PowerShell scripts.

The second one, on the other hand, involved the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

“The payload discovered is a leaked version of a Cobalt Strike beacon,” the Talos advisory reads.

“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”

As the main payload discovered in this campaign is a Cobalt Strike beacon, Talos also said the threat actors used the Redline information–stealer and Amadey botnet executables as payloads.

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” Talos wrote.

“Defenders should implement behavioral protection capabilities in the organization’s defense to effectively protect them against fileless threats.”

Moreover, Talos warned organizations to remain vigilant on the Cobalt Strike beacons and implement layered defenses designed to thwart the threat actor’s attempts in the earlier stage of the attack’s infection chain.

The advisory comes weeks after Group–IB revealed that the Chinese advanced persistent threat (APT) actor known as APT41 used Cobalt Strike to target at least 13 organizations around the world.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Optus telco data breach – what we know so far

Next Post

LeakBase Announces Swachhata Platform Breached, 16 Million User PII Records Exposed

Recent News

Ferrari Data Breach: The Industry has its say

Ferrari Data Breach: The Industry has its say

March 22, 2023
security

What Is Observability, And Why Is It Crucial To Your Business?

March 21, 2023
Organisational Cybersecurity.jpg

How Emerging Trends in Virtual Reality Impact Cybersecurity

March 21, 2023
Nominations are Open for 2023’s European Cybersecurity Blogger Awards

Nominations are Open for 2023’s European Cybersecurity Blogger Awards

March 20, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information