Fake Kaseya Patch Malspam Campaign

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Nick Sundvall

TLP: WHITE

On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya’s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.

We have previously reported on the ransomware attack on Kaseya’s VSA.1,2 While Malwarebytes has also reported on this malspam campaign, we have observed additional emails and malicious files.3

The company HelpSystems owns Cobalt Strike and sells it online. Cobalt Strike is a legitimate penetration-testing tool, but it is frequently abused by threat actors and used for malicious purposes. Cobalt Strike can log keystrokes, launch exploits for privilege escalation, connect to command and controls (C&Cs), and more. 

In this campaign, the threat actor uses a topical lure that takes advantage of the recent ransomware attack on Kaseya’s VSA.4

  • On 4 July, Kaseya stated they would email customers after releasing the patch.
  • On 6 July, the threat actor began sending malspam.
  • On 8 July, Kaseya responded by warning users of emails that contain malware and by releasing the following statement: “Kaseya email updates will not contain any links or attachments.”5

The subjects of the emails distributed by the campaign are rather generic, such as “Package Delivery Status #” or “Our Shipping Renewal 2021 INS,” which is followed by five to ten seemingly random numbers, such as “2887437.” However, the bodies of the emails contain a spoofed conversation, where the most recent message says: “please install the update from microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.”

The threat actor attempts to deliver the malicious payload in two ways. Each delivers the same payload.

  1. They attach the malicious executable SecurityUpdates.exe to the email, in hopes that the target will run the file.
  2. The body of the email includes a hyperlink that appears to go to a legitimate Kaseya site.

A vigilant reader might notice that when the cursor hovers over the hyperlink, the tooltip shows one of two unrelated, malicious URLs, which represent the two files we observed in the campaign.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://blogs.infoblox.com/cyber-threat-intelligence/kaseya-revil-ransomware-attack/
  2. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory-kaseya-ransomware-attack-update-patch-available/
  3. https://blog.malwarebytes.com/social-engineering/2021/07/malspam-banks-on-kaseya-ransomware-attack/
  4. https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
  5. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-3rd-2021

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×