Author: Nick Sundvall
On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya’s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.
We have previously reported on the ransomware attack on Kaseya’s VSA.1,2 While Malwarebytes has also reported on this malspam campaign, we have observed additional emails and malicious files.3
The company HelpSystems owns Cobalt Strike and sells it online. Cobalt Strike is a legitimate penetration-testing tool, but it is frequently abused by threat actors and used for malicious purposes. Cobalt Strike can log keystrokes, launch exploits for privilege escalation, connect to command and controls (C&Cs), and more.
In this campaign, the threat actor uses a topical lure that takes advantage of the recent ransomware attack on Kaseya’s VSA.4
- On 4 July, Kaseya stated they would email customers after releasing the patch.
- On 6 July, the threat actor began sending malspam.
- On 8 July, Kaseya responded by warning users of emails that contain malware and by releasing the following statement: “Kaseya email updates will not contain any links or attachments.”5
The subjects of the emails distributed by the campaign are rather generic, such as “Package Delivery Status #” or “Our Shipping Renewal 2021 INS,” which is followed by five to ten seemingly random numbers, such as “2887437.” However, the bodies of the emails contain a spoofed conversation, where the most recent message says: “please install the update from microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.”
The threat actor attempts to deliver the malicious payload in two ways. Each delivers the same payload.
- They attach the malicious executable SecurityUpdates.exe to the email, in hopes that the target will run the file.
- The body of the email includes a hyperlink that appears to go to a legitimate Kaseya site.
A vigilant reader might notice that when the cursor hovers over the hyperlink, the tooltip shows one of two unrelated, malicious URLs, which represent the two files we observed in the campaign.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.