20 June 2022

MALSPAM CAMPAIGN: Cobalt Penetration Suite Opens The Way to Wider Exploitation Potential

On May 23, 2022 Cobalt Strike as a second-stage payload in Metanbuchus malspam campaign was first reported by DCSO, a German security company.
They also noticed that Qakbot was also delivered in some cases.
Interestingly, in that campaign, the digital signature used for the MSI file was again a valid one from DigiCert, issued to "Advanced Access Services LTD."
 

New phishing attack infects devices with Cobalt Strike

 
"Security researchers have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines.
Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.

Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory.

Palo Alto Networks' Unit 42 analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. The malware's features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.

Ongoing campaign

Threat analyst Brad Duncan captured a sample of the malware and examined how it works in a lab environment.

The malspam campaign currently underway uses lures that pretend to be replies to previous email conversations, so they feature a 'Re:' in the subject line.

> The emails carry a ZIP attachment that contains an HTML file that generates a new ZIP archive. This ultimately extracts an MSI package digitally signed with a valid certificate issued by DigiCert for "Westeast Tech Consulting, Corp."

Valid digital certificate used on the MSI file
Valid digital certificate used on the MSI file (isc.sans.edu)

> Running the MSI installer supposedly initiates an Adobe Acrobat font catalog update that ends with an error message, to distract the victim from what happened behind the scenes.

> In the background, two Matanbuchus DLL payloads ("main.dll") are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.

Snapshot of malicious network traffic
Snapshot of malicious network traffic (isc.sans.edu)

Finally, Matanbuchus loads the Cobalt Strike payload from the C2 server, opening the way to wider exploitation potential.

Matanbuchus current infection chain
Matanbuchus current infection chain (isc.sans.edu)

Related Articles:

Fake antivirus updates used to deploy Cobalt Strike in Ukraine

Android-wiping BRATA malware is evolving into a persistent threat

Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike

New MaliBot Android banking malware spreads as a crypto miner

Android malware on the Google Play Store gets 2 million downloads

No comments: