The email contains varying subject lines revolving around “order shipping” with messages instructing users to install the patch released by Microsoft.
A few days ago, Hackread.com covered how the REvil Ransomware gang attacked an IT company named Kaseya which led to over 1000 businesses being victimized. Although ransom demands were made for publishing the decryptor by the attackers, there has been no outcome yet.
Taking advantage of this, we have seen a new malicious email campaign that is claiming to contain a patch for the Kaseya vulnerability but in fact, it is malware (constant improvisation by the attackers here).
The emails contain varying subject lines revolving around “order shipping” with messages instructing users to install the patch released by Microsoft as shown below:
The so-called patch has the URL of Kaseya’s own website but once users click it, they are redirected to some other server [220.127.116.11/download/pload.exe] where the malicious file exists.
The file itself contains the infamous “Cobalt Strike” malware, It is worth noting that Cobalt Strike is a legal threat emulation software yet used for nefarious purposes by threat actors. Additionally, a malicious attachment is also present named “SecurityUpdates.exe” which also installs Cobalt Strike.
Explaining the malware’s working, researchers from Trustwave state,
“The executable file loads a Cobalt Strike launcher that unpacks and executes a Cobalt Strike beacon.dll in memory and creates an encrypted tunnel between the infected host and the adversaries.”
“Extracting the configuration of this Cobalt Strike beacon agent reveals the command and control server, port, the attacker’s public key to encrypt exfiltrated data and communications, user-agent, POST URI, among other things,” researchers explained.
The source email address is clearly a bogus one if one closely inspects it showing that it is very easy to identify this as a scam. However, unsuspecting and desperate users at this time may grab onto every chance to fix the situation at hand and therefore fall for it.
To conclude, we are yet to see how this entire situation works out but regardless, it will prompt companies to take a greater number of measures than before such as better data backup programs.