One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 7178779 |
| Date de publication | 2022-09-28 08:18:45 (vue: 2022-09-28 13:07:39) |
| Titre | New campaign uses government, union-themed lures to deliver Cobalt Strike beacons |
| Texte |  By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic. Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads. This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats. Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain. Initial vectorThe initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information.  Initial malicious email message.The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determ |
| Envoyé | Oui |
| Condensat | /quiet 0199 154 1657766544761773100 175 185 1this 2017 2022 2023 225 230 238 256 2the 60600 6532815796879806872 9956955 9968593 9969002 9969191 9969193 9970633 :// access accessing according account accounts actions activity actor actors adaptive add additional address administrative advanced advertising aes against agency agenttesla alibaba all alleged allows along also although amadey amp analysis analytics another appear appliance appliances applicant application applications april arbitrary are array associated association atlasover attached attachment attack attacker attackers attacks attempts attribute august authentication authorized automatically available avoid base64 based basic beacon beacons been before behavioral below below: binaries binary binary: bit bitbucket blend blob block blocks botnet builds but campaign campaign: can capabilities capabilities:executes center certificate certificates chain characteristics check chetan chief cisco clamav click clouchfair cloud cobalt cobaltstrike code codes collection command commandlet commands communication complex component configuration configurations configure configured connecting constantly constructed consumers contain contained containing contains content contents context contractors controlled controltalos converted corporate could coverage customers customizable cve dangerous data date declaration decode decoded decryption defenders defense defined delay delegating delete deleting deliver delivering described description detailed details detect detection detections detects determine development deviceparingwizard different directory disclosed discovered dll dllhost dlls dns document documents domain domains dotm download downloaded downloader downloaderthe downloading downloads dropper dropperthe duo during earlier effectively eligibility email emails embedded employed employees employing employment enable encoded encrypted endpoint endpoints enrollment ensure entice environment establish evade example exe executable executables executablethe execute executed executes executing execution exhibiting exploit extension extensions factor features federal file fileless files final firepower firewall folder follow following form formerly framework free from function gateway generate generated generates generating generation generic getmac github government grid has have having headquartered here hidden hide high highly hong host hosted hostheader hosting hta https human ideally identifiable identifies iex implant implants implement include: infected infection information infrastructure initial injecting injection instill instructions insurance intentions internet involves ioc ips issue its itself job july key kong later latest layered leads leaked legitimate less life likely linux list listed live local located location lure lures machine machines macro make maldoc maldoc: maldocs malicious malleable malware management manager masquerade may memory memory: meraki message method methodologies methodologiesattack microsoft modular modularised module more msi msiexec multi multiple multistage national netherlands network new news next ngfw numbers obfuscated observation observed off office one online only open opens operated operations opm orbital org org/atlasover/atlassiancore/downloads org/atlasover/atlassiancore/downloads/emmajardi org/atlasover/atlassiancore/downloads/newmodeler org/clouchfair/oneproject/downloads org/clouchfair/oneproject/downloads/strymon org/clouchfair/oneproject/downloads/ww organization organizations osqueries other out outlined pack packed part path payload payloads payloadtalos perform performed performs persistence personal personally personnel phishing pii ping pivoting plus png policy post potentially powershell prevent prevents process processes products profile program prominent protect protection protections protocols provide provides psa public purchase queriescisco raghuprasad recently recipient redirection redirector redline redlinestealer regular related relationship released rels rels/settings remained remote remove repo repo |
| Tags | Malware Vulnerability Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.