Cybercriminals are targeting job seekers in the United States and New Zealand to distribute Cobalt Strike beacons, but also other viruses and malware (opens in a new tab).
Cisco Talos researchers claim that an unknown threat actor is sending multiple email phishing lures, assuming the identity (opens in a new tab) of the US Office of Personnel Management (OPM), as well as the Public Services Association of New Zealand (PSA). ).
The email asks the victim to download and run an attached Word document, claiming it contains more details about the job opportunity.
Remote code execution
The document contains macros that, if run, exploit a vulnerability known as CVE-2017-0199, a remote code execution flaw patched in April 2017. Running the macro causes Word to download a document template from a repository from Bitbucket. The model then runs a series of Visual Basic scripts which, in turn, download a DLL file called "newmodeler.dll". This DLL is actually a Cobalt Strike beacon.
There is also another less complicated distribution method where the malware downloader is obtained directly from Bitbucket.
With the help of a Cobalt Strike beacon, threat actors can remotely execute various commands on the compromised endpoint, steal data and move laterally through the network, mapping it and finding more sensitive data.
The researchers say the beacons communicate with an Ubuntu server, hosted by Alibaba and based in the Netherlands. Contains two valid self-signed SSL certificates.
Cisco has not named the threat actors behind this campaign, but there is one prominent name that has been involved in numerous fake work campaigns recently, and that is the Lazarus Group.
The infamous North Korean state-sponsored threat actor targets blockchain developers, artists working on non-fungible tokens (NFTs), as well as aerospace experts and political journalists with fake jobs, stealing cryptocurrency and valuable information. .
Via: BleepingComputer (Opens in a new tab)