Cybercriminals are preying on job seekers in america and New Zealand to distribute Cobalt Strike beacons, but in addition different viruses and malware (opens in new tab), as properly.
Researchers from Cisco Talos declare an unknown risk actor is sending out a number of phishing lures through electronic mail, assuming the identification (opens in new tab) of the US Workplace of Personnel Administration (OPM), in addition to the New Zealand Public Service Affiliation (PSA).
The e-mail invitations the sufferer to obtain and run an hooked up Phrase doc, claiming it holds extra particulars in regards to the job alternative.
Distant code execution
The doc is laced with macros which, if run, exploit a recognized vulnerability tracked as CVE-2017-0199, a distant code execution flaw fastened in April 2017. Operating the macro ends in Phrase downloading a doc template from a Bitbucket repository. The template then executes a collection of Visible Fundamental scripts which, consequently, downloads a DLL file known as “newmodeler.dll”. That DLL is, actually, a Cobalt Strike beacon.
There’s additionally one other, simpler distribution technique, through which the malware downloader is fetched instantly from Bitbucket.
With the assistance of a Cobalt Strike beacon, the risk actors can remotely execute numerous instructions on the compromised endpoint, steal knowledge, and transfer laterally all through the community, mapping it out and discovering extra delicate knowledge.
The researchers declare the beacons talk with a Ubuntu server, hosted by Alibaba, and primarily based within the Netherlands. It incorporates two self-signed and legitimate SSL certificates.
Cisco didn’t identify the risk actors behind this marketing campaign, however there may be one distinguished identify that’s been engaged in quite a few pretend job campaigns recently, and that’s Lazarus Group.
The notorious North Korean state-sponsored risk actor has been focusing on blockchain builders, artists engaged on non-fungible tokens (NFT), in addition to aerospace specialists and political journalists with pretend jobs, stealing cryptocurrencies and helpful info.
By way of: BleepingComputer (opens in new tab)
