Threat actors are trying to capitalize on the current Kaseya ransomware attack crisis by targeting potential victims in a spam campaign that powers Cobalt Strike payloads disguised as Kaseya VSA security updates.
Cobalt Strike is a legitimate penetration testing tool and threat emulation software also used by attackers for post-exploit tasks and to implement so-called beacons that allow them to gain remote access to compromised systems.
The ultimate goal of such attacks is to collect and filter sensitive data or deliver second-stage malware payloads.
“Interestingly, 66 percent of all ransomware attacks this quarter involved the Cobalt Strike red team framework, suggesting that ransomware actors are increasingly relying on the tool as product Trojans abandon. basic, “said the Cisco Talos Incident Response (CTIR) team saying in a September quarterly report.
Spam emails bundle malicious links and attachments
The malspam campaign spotted by Malwarebytes Threat Intelligence researchers uses two different tactics to implement Cobalt Strike payloads.
Malicious emails sent as part of this malspam campaign come with a malicious attachment and a built-in link designed to look like a Microsoft patch for the Kaseya VSA zero-day exploited in the REvil ransomware attack.
“A malspam campaign is leveraging the Kaseya VSA ransomware attack to remove CobaltStrike,” Malwarebytes threat intelligence team saying.
“It contains an attachment called ‘SecurityUpdates.exe’, as well as a link purporting to be a security update from Microsoft to correct the Kaseya vulnerability.”
The attackers gain persistent remote access to the target systems once they run the malicious attachment or download and launch the bogus Microsoft update on their devices.
The Colonial Pipeline attack was also exploited in the Cobalt Strike phishing
Last month, threat actors also used bogus system updates that they claim to help detect and block ransomware infections after the Colonial Pipeline attack.
As with this month’s malspam campaign, June’s phishing campaign also powered malicious payloads designed to implement the Cobalt Strike penetration testing tool, which would have allowed attackers to compromise recipient systems.
As the INKY researchers who detected the attacks said, the phishing emails came with a deadline to install the fake updates to add a sense of urgency.
The payload download pages were also customized using the company’s landing graphics to make them appear reliable.
These two campaigns highlight that threat actors in the phishing business track the latest news to drive lures relevant to recent events to increase their campaign success rates.
The highly publicized REvil ransomware attack that hit software provider Kaseya MSP and roughly 60 out of 35,000 of its direct customers and 1,500 out of 1,000,000 from downstream companies makes it a perfect hot topic.
Since Kaseya says that failed to implement a fix for the zero-day VSA exploited by REvil, many of your customers could fall for the tricks of this pishing campaign in its effort to protect their networks from attacks.