A social engineering campaign is exploiting a years-old remote code execution vulnerability in Microsoft Office to deploy Cobalt Strike beacons and target job seekers.
According to a report published on Wednesday by Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer, an evidential payload that was discovered, appears to be a leaked version of a Cobalt Strike beacon.
Beacon configuration consists of commands that can be used to inject arbitrary binaries directly into processing queues. A high reputation domain is configured on the beacon, exhibiting the redirection technique to disguise the beacon's traffic.
There have been some malicious activity, discovered a year ago in August 2022, that attempts to exploit the vulnerability CVE-2017-0199, which is a remote code execution vulnerability in Microsoft Office that allows an attacker to take control of an affected system remotely.
Phishing emails, which come from New Zealand's Public Service Association, a trade union based in the country, are one of the entry vectors for the attack, containing a Microsoft Word attachment containing job-related lures for positions in the U.S. government and Public Service Association, an American union. For Cisco Talos, the Cobalt Strike beacons are far from the only malware samples that are being deployed, because the company has also observed that the Redline Stealer and Amadey botnet executables are being used as payloads at the other end of the attack chain to deliver the malware samples.
A cybersecurity expert noted that the attack was highly modularized, adding that Bitbucket repositories were used to host malicious content. As a result of the Bitbucket repositories hosting the malicious content, the attack launched the download of the malware executable that was responsible for installing the Cobalt Strike DLL beacon, a harmful piece of code that attackers could potentially use in the future to exploit the computer.
There are several attack sequences that can be executed in Bitbucket. These involve exploiting the obfuscated VB and PowerShell scripts stored in the repository to deliver an assault script to the beacon, which is hosted from a different Bitbucket account.
"This campaign is a well-known example of how a threat actor employs a technique of generating and executing a malicious script in the system memory of the victim as a means of attacking the system." the researchers said.
"Organizations should be constantly vigilant on the Cobalt Strike beacons and should implement layered defense capabilities to thwart the attacker's attempts at the earliest stage in the infection chain so as to thwart the attack's progress."