"Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats."Īdditionally, Talos warned organizations to remain vigilant on the Cobalt Strike beacons and implement layered defenses designed to thwart the threat actor's attempts in the earlier stage of the attack's infection chain. "This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory," Talos wrote. While the main payload discovered in this campaign is a Cobalt Strike beacon, Talos also said the threat actors used the Redline information–stealer and Amadey botnet executables as payloads. "The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic." "The payload discovered is a leaked version of a Cobalt Strike beacon," the Talos advisory reads.
The second one, on the other hand, involved the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload. The first one saw the downloaded DOTM template executing an embedded malicious Visual Basic (VB) script, which led to the generation and execution of other obfuscated VB and PowerShell scripts. "If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker–controlled Bitbucket repository," Cisco Talos wrote.įollowing the initial infection, the security company said it discovered two attack methodologies employed by the threat actor in this campaign. The malicious attachment would then try to exploit a remote code execution (RCE) vulnerability (tracked CVE–2017–0199) in Microsoft Office. The company published a new advisory about the campaign on Wednesday saying the threat actors behind it used a phishing email impersonating either a government organization in the US or a trade union in New Zealand with a malicious Microsoft Word document attachment as their initial attack vectors. Researchers at security firm Cisco Talos discovered a malicious campaign in August 2022 that relied on modularized attack techniques to deliver Cobalt Strike beacons and used them in follow–on attacks.
0 kommentar(er)
