In this attack, multiple stages of scripts being downloaded and executed are used to get to the main malware payload.
2 Attached exploit document CVE-2017-11882 Exploit Leads to a Cobalt Strike Beacon However, in the background a PowerShell script is already being spawned that will eventually download a Cobalt Strike client to take control of the victim’s system.įig. Once the document is opened, the user is presented with a plain document. 1 Fake Visa notification email in russian So it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.įig. This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open. This is to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. Spam mails containing password-protected archives, which usually also contain the malicious file, has become very common.
Cobalt strike beacon detection archive#
For some reason, this archive also contains the said document.
Cobalt strike beacon detection password#
The attachments include a malicious RTF document with the filename “ Изменения в системе безопасности.doc Visa payWave.doc” and an archive (same filename) protected by a password that is included in the email’s body. The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. Fake Visa Notification Targets Russian Speakers
Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.Īnd as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike. Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882.
0 kommentar(er)
