Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malware dropper. Show all posts

Cobalt Strike Beacon Using Job Lures to Deploy Malware

Cisco Talos researchers have detected a new malware campaign that is using job lures to deploy malware. The threat actors are weaponizing a year-old remote code execution flaw in Microsoft Office, infecting victims with leaked versions of Cobalt Strike beacons. 

According to the researchers, the attacks were discovered in August 2022. It begins with phishing emails regarding the U.S. Government's job details or a New Zealand trade union. The emails comprise of a multistage and modular infection chain with fileless, malicious scripts. 

On opening the attached malicious Word file, the victim was infected with an exploit for CVE-2017-0199, a remote code execution vulnerability in MS Office, that allows the threat actor to control the infected systems. As a result, the attacker deploys a chain of attack scripts that leads up to the Cobalt Strike beacon installation. 

"The payload discovered is a leaked version of a Cobalt Strike beacon[...]The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic" states Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a new analysis published on Wednesday. 

In addition to discovering the Cobalt Strike beacon as the payload in this campaign, the researchers have also observed the usage of the Redline information-stealer and Amadey botnet executables as the payloads. 

The Modus Operandi has been called “highly modularized” by the experts, the attack stands out for it leverages Bitbucket repositories to deploy malicious content that serves as a kickoff for downloading a Window executable, responsible for the installation of Cobalt Strike DLL beacon, says the Cybersecurity researchers. 

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory[...]Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain." states the researchers. 

Considering the growing phishing and malware attacks, the Cisco Talos team suggested users protect themselves with measures, such as updating their software and not opening any attachments in unsolicited messages. Besides, the team also suggests that administrators monitor their network security. 

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.