Cobalt Strike beacons are being deployed in a new malware campaign involving fraudulent job-themed lures, which was initially identified in August, reports The Hacker News.
Threat actors have been exploiting a Microsoft Office remote code execution vulnerability, tracked as CVE-2017-0199, to facilitate system takeovers, with phishing emails having a Word document containing employment opportunities in the U.S. government and New Zealand-based trade union Public Service Association being the initial attack vector, according to a Cisco Talos report. Such an attack then results in the delivery of a leaked Cobalt Strike beacon.
"The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic," said researchers. Redline Stealer and the Amadey botnet have also been used as the attack's other payloads.
"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory... Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain," researchers added.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds