Author: Christopher Kim
During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed “BazarStrike,” deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns.4
Cobalt Strike is a commercial penetration testing solution that attackers use to deploy a program named “Beacon” on the victim’s machine. Threat actors can use Beacon to perform advanced post-exploitation functions such as:
- Command execution,
- Key logging,
- File transfer,
- Socks proxying,
- Privilege escalation,
- Port scanning, and
- Lateral movement.
In late 2020, Cobalt Strike was involved in several major cyberattacks, including the supply chain attack on SolarWinds’ Orion platform6 and ransomware attacks on the healthcare sector.7
These campaigns used malware delivery methods typically seen in BazarLoader campaigns.8
Email messages followed a customer complaint theme either in the form of a letter, report or request. Subject lines included Re: complaint on <lastname> and <Victim company> complaint. The email bodies contained a link that led the victim to a customized landing web page hosted on an online platform for email marketing and creating landing pages.
The threat actor(s) constructed the link name using a static prefix such as complaint-letter, as well as the email’s date. The landing page contained another link to a Google Drive that hosted the loader payload.
Although the delivery methods are similar, the binary of the loaders used in these campaigns is technically different from BazarLoader. Unlike BazarLoader, these loaders did not use .bazar top-level domains to calculate IPv4 command and control (C&C) addresses that returned the next payload instructions.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.