New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons

Share:

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in shoppingmode Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.

“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday.

“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”

 

The malicious activity, discovered in August 2022, attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in shoppingmode Microsoft Office, that allows an attacker to take shoppingmode control of an affected system.

The entry vector for the attack is a phishing email containing a shoppingmode Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.

Attack Method1

Attack Method2

Cobalt Strike beacons are far from the only malware samples deployed, for Cisco Talos said it has also observed the usage of the Redline Stealer and Amadey botnet executables as payloads at the other end of the attack chain.

Calling the attack methodology “highly modularized,” the cybersecurity company said the activity also stands out for its use of Bitbucket repositories to host malicious content that serves as a starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.

In an alternative attack sequence, the Bitbucket repository functions as a conduit to deliver obfuscated VB and PowerShell downloader scripts to install the beacon hosted on a different Bitbucket account.

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.

“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”

https://thehackernews.com/2022/09/new-malware-campaign-targeting-job.html

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:09 am, Jul 11, 2025
weather icon 28°C
L: 26° | H: 30°
few clouds
Humidity: 45 %
Pressure: 1021 mb
Wind: 2 mph NNW
Wind Gust: 3 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
26° | 30°°C 0 mm 0% 8 mph 47 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
29° | 29°°C 0 mm 0% 3 mph 42 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 31 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 28 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€101,255.25
6.68%
Ethereum(ETH)
€2,579.67
8.69%
Tether(USDT)
€0.85
0.01%
XRP(XRP)
€2.23
6.97%
Solana(SOL)
€140.91
4.43%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170131
9.79%
Shiba Inu(SHIB)
€0.000011
7.31%
Pepe(PEPE)
€0.000011
16.09%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top