Cisco Talos detects malicious campaigns using government, union-themed lures offering Cobalt Strike beacons

Researchers at Cisco Talos discovered a malicious campaign last month delivering Cobalt Strike beacons that could be used in later, follow-on attacks. The assault involves a multistage and modular infection chain with fileless, malicious scripts. It also uses a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. 

“The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office,” Chetan Raghuprasad and Vanja Svajcer, Cisco Talos researchers wrote in a blog post on Wednesday. “If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.”

Lure themes in the phishing documents in the campaign are related to the job details of a government organization in the U.S. and a trade union in New Zealand, the post disclosed. 

Talos discovered the C2 server operated in the campaign with the IP address 185[dot]225[dot]73[dot]238 running on Ubuntu Linux version 18.04, located in the Netherlands and is a part of the Alibaba cloud infrastructure. Shodan search results showed that the C2 server contained two self-signed SSL certificates, which are valid for a year from Jul. 14, this year. 

The researchers discovered two attack methodologies employed by the attacker in the campaign – one in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts. The second one involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

Cisco Talos said that the payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.

Although the payload discovered in the campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads. “This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers pointed out. Defenders should implement behavioral protection capabilities in the organization’s defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.

The initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information, Cisco Talos said. “The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determine the eligibility of the job applicant for employment with U.S. federal government contractors and their alleged enrollment status in the government’s life insurance program,” it added.

The researchers found that the text in the maldoc resembles the contents of a declaration form of the U.S. Office of Personnel Management (OPM), which serves as the chief human resources agency and personnel policy manager for the federal government. 

Another maldoc of the same campaign contains a job description advertising for roles related to delegating development, PSA plus — a prominent New Zealand trade union — and administrative support for National Secretaries at the Public Service Association office based out of Wellington, New Zealand, Cisco Talos said. “The contents of this maldoc lure resemble the legitimate job description documents for the New Zealand Public Service Association, another workers’ union for New Zealand federal employees, headquartered in Wellington.”

PSA New Zealand released a legitimate job description document in April this year. The threat actor constructed the maldoc to contain the text lures to make it appear as a legitimate document on May 6, 2022. Talos’ observation shows that the threat actors are also regular consumers of online news.  

Attack methodologies employed by the actor in the campaign are highly modularised and have multiple stages in the infection chain, the researchers disclosed. “Talos discovered two different attack methodologies of this campaign with a few variations in the TTPs’, while the initial infection vector, use of remote template injection technique and the final payload remained the same,” they added.

Talos discovered that the final payload of the campaign is a Cobalt Strike beacon. Cobalt Strike is a modularised attack framework and is customizable. Threat actors can add or remove features according to their malicious intentions.

“Employing Cobalt Strike beacons in the attacks’ infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections,” the researchers said. “Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain,” they added.

In June, U.S. authorities issued a cybersecurity advisory that warned of Karakurt data extortion hackers creating significant challenges for defense and mitigation. The advisory said that upon developing or obtaining access to a compromised system, Karakurt hackers deploy Cobalt Strike beacons to enumerate a network, install Mimikatz to pull plain-text credentials, use AnyDesk to get a persistent remote control, and utilize additional situation-dependent tools to elevate privileges and move laterally within a network.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.