It triggers yet another PowerShell script which has the client DLL files of Cobalt Strike – a rather outdated, but still very effective tool, previously used for penetration testing of the defenses in Windows Operating Systems. ps1 file, belonging to Cobalt Strike is automatically activated. ps1 file is executed, the actual Cobalt Strike infection takes place on the victim’s computer.Ĭobalt Strike Malware – Malicious Activity The file is located in the %AppData% directory and may appear like the following:
But what is downloaded is not the final JavaScript payload, but instead this JavaScript triggers another download from the host 104.254.99.77 which downloads a file with a random name and the. The result of this is that the mshta.exe service connects to the IP address 104.254.99.77 and downloads the JavaScript infection payload of Cobalt Strike on the victim’s computer. The whole process of initiating the download is done by taking control of the Microsoft HTML Application Host also known as the process mshta.exe, that has a purpose to execute HTML apps. In reality however, the file triggers a script for PowerShell which initiates the download of the infection file of Cobalt Strike, while obfuscating it with the CVE-2017-11882 vulnerability. Once this document is opened, the victim sees a legitimate Microsoft Word file that only says the words “Enable Editing”: doc files that pose as “New security system changes in Visa payWave”. The message (In Russian) pretends to come from Visa’s payWave system and it aims to get the victim to open what appears to be a.
One sample was detected by malware researchers Jasper Manual and Joie Salvio at Fortinet and it uses the following e-mail: The way the cyber-criminals who are believed to be the C obalt hacker group have decided to use malicious macro infections for their attacks in e-mails that they pretend are from Visa. So far, what is known about this vulnerability is that it was only patched once, two weeks after it was discovered by Microsoft. The file itself infects via malicious macros which contain the exploit CVE-2017-11882 that is over 17 years old at the time of writing this.
In order to cause a successful infection, the malicious file of this virus is actually a semi-legitimate Microsoft Word document, which pretends to be a legitimate file sent by a bank or a big company. Cobalt Strike Malware – Infection Analysis
0 kommentar(er)
