Getty Images/iStockphoto

Cobalt Strike malware campaign targets job seekers

Cisco Talos researchers spotted a new wave of phishing attacks that target job seekers in the U.S. and New Zealand, infecting them with Cobalt Strike beacons.

A new malware campaign uses the lure of a job to infect victims with leaked versions of Cobalt Strike beacons.

Researchers with Cisco Talos said the attack begins with phishing emails regarding fraudulent job opportunities with either the U.S. government or a trade union in New Zealand. Ironically, one of the lures is for a job in the U.S. Department of Defense.

Should users open the attached Word file, the team said, they will be served an exploit for CVE-2017-0199, a long-known remote code execution vulnerability in Office. This, in turn, kicks off a chain of attack scripts that culminates in the Cobalt Strike beacon installation.

"The payload discovered is a leaked version of a Cobalt Strike beacon," wrote Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a blog post Wednesday. "The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic."

Cobalt Strike is a widely known suite of customizable penetration testing tools developed by HelpSystems. The software has also become a favorite tool of cybercriminals as an easy and cost-effective way to remotely access and manage infected systems. In this latest campaign, Cisco Talos observed leaked versions of the software infecting victims' systems.

"Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections," Raghuprasad and Svajcer wrote.

The researchers noted that Cobalt Strike is not the only piece of software being served up in the attacks. In some cases, users were instead infected with a different piece of information-stealing malware called RedLine or a botnet executor known as Amadey.

The attack also uses one of two different fileless scripts to obtain the payload -- either an embedded Visual Basic script in the file or a downloaded Visual Basic script obtained at the time of exploitation.

The Cobalt Strike team recently had its own security scare when a potentially serious security flaw was discovered and reported to developers, necessitating an emergency update.

In this case, users can protect themselves with common sense measures, such as updating their software and not opening attachments in unsolicited messages. The Cisco Talos team also suggested administrators check their network security measures.

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory," the researchers wrote. "Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats."

Dig Deeper on Threats and vulnerabilities