Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign promoting Cobalt Strike payloads disguised as Kaseya VSA security updates.
Cobalt strike is a legitimate penetration test tool and threat emulation software, which is also used by attackers for post-exploitation tasks and to use so-called beacons, which allow them to remotely access compromised systems.
The end goal of such attacks is either to collect and extract sensitive data or to deliver second tier malware payloads.
“Interestingly, 66 percent of all ransomware attacks this quarter involved the Cobalt Strike Red Teaming framework said in a quarterly report from September.
Spam emails bundle malicious attachments and links
The Malspam campaign discovered by Malwarebytes Threat Intelligence researchers uses two different tactics to deploy the Cobalt Strike payloads.
Malicious emails sent as part of this malspam campaign come with a malicious attachment and an embedded link that looks like a Microsoft patch for the Kaseya VSA zero-day that was exploited in the REvil ransomware attack.
“A malspam campaign uses the Kaseya VSA ransomware attack to drop CobaltStrike,” says the Malwarebytes Threat Intelligence team said.
“It has an attachment called ‘SecurityUpdates.exe’ and a link pretending to be a security update from Microsoft to fix the Kaseya vulnerability!”
The attackers get permanent remote access to the target systems as soon as they execute the malicious attachment or download the fake Microsoft update and start it on their devices.
Colonial pipeline attack is also used in Cobalt Strike phishing
Last month, Threat actors also used fake system updates claims to detect and block ransomware infections after the Colonial Pipeline attack.
Just like this month’s malspam campaign, the June phishing campaign drove malicious payloads designed to use the Cobalt Strike penetration testing tool, which would have allowed attackers to compromise recipients’ systems.
As INKY researchers who discovered the attacks said, the phishing emails included a deadline for installing the fake updates to create a sense of urgency.
The payload download pages have also been adapted with the target company’s graphics to make them appear trustworthy.
These two campaigns underscore that threat actors in the phishing business are keeping up with the latest news in order to disseminate bait relevant to the latest events in order to increase the success rates of their campaigns.
The widespread REvil ransomware attack The Visit the Kaseya MSP software provider and around 60 of 35,000 of their direct customers and 1,500 of 1,000,000 downstream companies form a perfect attraction.
Because Kaseya says it does Failed to deploy a fix for REvil exploited VSA zero day, many of his customers could fall for this phishing campaign’s tricks to protect their networks from attack.
#Fake #Kaseya #VSA #security #update #thwarted #networks #Cobalt #Strike