Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks – E Hacking News


Cyberattack actors are trying to monetize off the currently ongoing Kaseya
ransomware attack incident by attacking probable victims in a spam campaign
attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates.
Cobalt Strike is a genuine penetration testing software and threat detection tool
which is also used by attackers for post-cyberattack tasks and plant beacons
that lets them to gain remote access to hack into compromised systems. The
primary goal of such attacks is either stealing data (harvesting)/exfiltrating
sensitive information, or deploying second-stage malware payloads. 

Cisco Talos
Incident Response (CTIR) team in a September report said that “interestingly, 66
percent of all ransomware attacks this quarter involved red-teaming framework
Cobalt Strike, suggesting that ransomware actors are increasingly relying on the
tool as they abandon commodity trojans.” The malware spam campaign discovered by
Malwarebytes Threat Intelligence experts use two distinct approaches to plant
the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes
with an infected attachment and an attached link built to disguised as a
Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware

Malwarebytes Threat Intelligence team said that a malspam campaign is
taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It
contains an attachment named ‘SecurityUpdates.exe’ as well as a link pretending
to be a security update from Microsoft to patch Kaseya vulnerability, the report
said. The hackers gain persistent remote access to attack systems after running
malicious attachments/downloads and launching fake Microsoft updates on their

Bleeping Computer reports “just as with this month’s malspam campaign,
the June phishing campaign was also pushing malicious payloads designed to
deploy the Cobalt Strike penetration testing tool, which would have allowed the
attackers to compromise the recipients’ systems. The payload download pages were
also customized using the target company’s graphics to make them appear
trustworthy.” These two campaigns highlight that threat actors in the phishing
business keep track of the latest news for pushing lures relevant to recent
events to boost their campaigns rates of success, said Bleeping Computers.

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *