There are new articles available, click to refresh the page.
Yesterday β€” 29 September 2022Cisco Talos

Threat Source newsletter (Sept. 29, 2022) β€” Attackers are already using student loan relief for scams

29 September 2022 at 18:00

By Jon Munshaw.Β 

Welcome to this week’s edition of the Threat Source newsletter.Β 

I’ve spent the past few months with my colleague Ashlee Benge looking at personal health apps’ privacy policies. We found several instances of apps that carry sensitive information stating they would share certain information with third-party advertisers and even law enforcement agencies, if necessary.Β 

One of the most popular period-tracking apps on the Google Play store, Period Calendar Period Tracker, has a privacy policy that states it will "share information with law enforcement agencies, public authorities, or other organizations if We’re [sic] required by law to do so or if such use is reasonably necessary. We will carefully review all such requests to ensure that they have a legitimate basis and are limited to data that law enforcement is authorized to access for specific investigative purposes only."Β 

A report from the Washington Post also released last week found that this app, as well as popular health sites like WebMD, β€œgave advertisers the information they’d need to market to people, or groups of consumers based on their health concerns.” 

To me β€” these were all things I had never considered before. I’m sure I’m not alone in just going to Google to type in β€œpain in left flank” or something along those lines to see if I’m dying or not. The research Ashlee and I did really make me rethink the type of information I’m inputting into apps on my phone, especially around my health. For example, I de-coupled the Google Fit tracking from my phone so it’s not just counting steps in the background. And I’ve switched to a privacy-focused browser on my personal computer at home (it doesn’t help that I’m also mad at Chrome for ending support for ad blockers).Β Β 

I’m actually mad at myself that it took me this long to think more critically about this topic. The research has always been out there.Β 

A 2018 study from Privacy International found that 61 percent of apps they tested immediately started sharing data with Facebook the instant a user opens the appΒ  β€” this was at the peak of the discussion around the Cambridge Analytica/Facebook scandal. And the U.S. Federal Trade Commission filed a complaint against the Flo period-tracking app in January 2021 for misleading users about who it sends personal information to.Β 

We, collectively as a society, should have always been taking this issue more seriously. And the recent Supreme Court ruling in Dobbs v. Jackson Women's Health Organization is highlighting how personal data stored on apps could lead to legal consequences. The warning sides have always been there, but I think we were just too willing to trade in convenience in exchange for our privacy, thinking many of us have β€œnothing to hide.”  

The one big thingΒ 

Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing key roles in incidents over the past year. This is becoming an increasing challenge for companies that now have remote workers all over the globe, many of whom may never come back to the office again. And if one of these employees leaves, it could leave some major security gaps. Over the past six months to a year, Talos has seen an increasing number of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering.Β 

Why do I care?Β 

Insider threats are different than β€œtraditional” cyber attacks we think of because it’s not about a threat actor sitting in an entirely different country lobing malicious code at a network. It usually involves trying to socially engineer someone into unwittingly letting their guard down and providing access to a malicious user or giving up sensitive information in exchange for some money. This can seriously happen to anyone anywhere, increasingly so in the era of hybrid work.Β 

So now what?

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job.Β 


Top security headlines from the week

Ukraine is warning that Russian state-sponsored actors are still targeting critical infrastructure with cyber attacks. The campaigns would likely be to β€œincrease the effect of missile strikes on electrical supply facilities,” the Ukrainian government said. The warning also stated that the actors would also target Baltic states and Ukrainian allies with distributed denial-of-service attacks. Meanwhile, the U.S. continues to invest money into Ukraine’s cyber defenses and volunteer hackers continue to pitch in across the globe. (CyberScoop, Voice of America)Β 

U.K. police arrested a teenager allegedly involved in the recent Rockstar data breach, which included leaked information regarding the upcoming β€œGrand Theft Auto VI” video game. The suspect may have ties to the Lapsus$ ransomware group and have some involvement in another data breach against the Uber rideshare company. Lapsus$’s recent activities are vastly different from what APTs’ traditional goals are, usually related to making money somehow, instead opting to just seemingly want to cause chaos of the sake of it. These two major breaches highlight the fact that many major organizations have unaddressed vulnerabilities. (TechCrunch, Wired)Β 

A disgruntled developer leaked the encryptor behind the LockBit 3.0 ransomware, the latest in a line of drama with the group. The builder works and could allow anyone to build their own ransomware. The Bl00Dy ransomware gang has already started to use the leaked builder in attacks against companies. Bl00Dy has been operating since May 2022, first targeting medical and dental offices in New York. In the past, the group has also used leaked code from Babuk and Conti to build their ransomware payloads. They also claim to have a Tor channel they use to post leaks from affected companies if they do not pay the ransom. (The Record, Bleeping Computer)Β 

Can’t get enough Talos?Β 

Upcoming events where you can find TalosΒ 


GovWare 2022Β (Oct. 18 - 20)
Sands Expo & Convention Centre, SingaporeΒ 

Most prevalent malware files from Talos telemetry over the past weekΒ Β 

SHA 256:Β e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934Β Β 
MD5:Β 93fefc3e88ffb78abb36365fa5cf857cΒ Β 
Typical Filename:Β WextractΒ Β 
Claimed Product:Β Internet ExplorerΒ Β 
Detection Name:Β PUA.Win.Trojan.Generic::85.lp.ret.sbx.tgΒ Β 

MD5:Β 2c8ea737a232fd03ab80db672d50a17aΒ  Β  Β 
Typical Filename:Β LwssPlayer.scrΒ  Β  Β 
Claimed Product: 撦想之巅幻灯播放器  Β  Β 
Detection Name:Β Auto.125E12.241442.in02Β 

MD5: 10f1561457242973e0fed724eec92f8cΒ  Β 
Typical Filename: ntuser.vbeΒ  Β 
Claimed Product: N/AΒ  Β Β 
Detection Name: Auto.1A234656F8.211848.in07.TalosΒ 

MD5:Β 8a5f8ed00adbdfb1ab8a2bb8016aafc1Β  Β 
Typical Filename:Β RunFallGuys.exeΒ 
Claimed Product:Β N/AΒ 
Detection Name:Β W32.Auto:c326d1.in03.TalosΒ 

MD5: 147c7241371d840787f388e202f4fdc1Β 
Typical Filename: EKSPLORASI.EXEΒ 
Claimed Product: N/AΒ Β 
Detection Name: Win32.Generic.497796Β 
Before yesterdayCisco Talos

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

28 September 2022 at 12:12
By Chetan Raghuprasad and Vanja Svajcer.
  • Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
  • Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
  • The attack involves a multistage and modular infection chain with fileless, malicious scripts.

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.

The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository.

Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload.

The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic.

Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads.

This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.

Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain.

Initial vector

The initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information.

Initial malicious email message.

The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determine the eligibility of the job applicant for employment with U.S. federal government contractors and their alleged enrollment status in the government's life insurance program.

The text in the maldoc resembles the contents of a declaration form of the U.S. Office of Personnel Management (OPM) which serves as the chief human resources agency and personnel policy manager for the U.S. federal government.

Contents of maldoc sample 1.

Another maldoc of the same campaign contains a job description advertising for roles related to delegating development, PSA plus β€” a prominent New Zealand trade union β€” and administrative support for National Secretaries at the Public Service Association office based out of Wellington, New Zealand. The contents of this maldoc lure resemble the legitimate job description documents for the New Zealand Public Service Association, another workers' union for New Zealand federal employees, headquartered in Wellington.

Contents of maldoc sample 2.

PSA New Zealand released this legitimate job description document in April 2022. The threat actor constructed the maldoc to contain the text lures to make it appear as a legitimate document on May 6, 2022. Talos' observation shows that the threat actors are also regular consumers of online news.

Attack methodologies

Attack methodologies employed by the actor in this campaign are highly modularised and have multiple stages in the infection chain.

Talos discovered two different attack methodologies of this campaign with a few variations in the TTPs', while the initial infection vector, use of remote template injection technique and the final payload remained the same.

Method 1

This is a modularised method with multiple stages in the infection chain to implant a Cobalt Strike beacon, as outlined below:

Summary of attack method 1 infection chain.

Stage 1 maldoc: DOTM template

The malicious Word document contains an embedded URL, https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/EmmaJardi.dotm, within its relationship component "word/_rels/settings.xml.rels". When a victim opens the document, the malicious DOTM file is downloaded.

Contents of settings.xml.rels of maldoc.

Stage 2: VBA dropper

The downloaded DOTM executes the malicious Visual Basic for Applications (VBA) macro. The VBA dropper code contains an encoded data blob which is decoded and written into an HTA file, "example.hta," in the user profile local application temporary folder. The decoded content written to an HTA file is the next VB script, which is executed using the ShellExecuted method.

Stage 2 VBA dropper.

Stage 3 VB script

The third-stage VBS structure is similar to that of the stage 2 VB dropper. An array of the encoded data will be decoded to a PowerShell script, which is generated in the victim's system memory and executed.

Stage 3 VB script.

Stage 4 PowerShell script

The PowerShell dropper script executed in the victim's system memory contains an AES-encrypted data blob as a base64-encoded string and another base64-encoded string of a decryption key. The encoded strings are converted to generate the AES encrypted data block and the 256-bit AES decryption key. Using the decryption key, the encrypted data generates a PowerShell downloader script, which is executed using the PowerShell IEX function.

Stage 4 PowerShell script.

Stage 5 PowerShell downloader

The PowerShell downloader script is obfuscated and contains encoded blocks that are decoded to generate the download URL, file execution path and file extensions.

The following actions are performed by the script upon its execution in victim's system memory:

  1. The script downloads the payload from the actor controlled remote location through the URL "https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/newmodeler.dll" to the user profile local application temporary folder.
  2. The script performs a check on the file extension of the downloaded payload file.
  3. If the payload has the extension .dll, the script will run the DLL using rundll32.exe exhibiting the use of sideloading technique.
  4. If the payload has an MSI file extension, the payload is executed using the command
    "msiexec /quiet /i <payload>".
  5. If the payload is an EXE file, then it will run it as a process using the PowerShell commandlet
  6. Upon running the payload, the script will hide the payload file to establish persistence by setting the "hidden" file system attribute of the payload file.

During our analysis, we discovered that the downloaded payload is a Cobalt Strike DLL beacon.

Stage 5 PowerShell downloader.

Method 2

The second attack method of this campaign is also modular, but is using less sophisticated Visual Basic and PowerShell scripts. We spotted that, in the attack chain, the actor employed a 64-bit Windows executable downloader which executes the PowerShell commands responsible for downloading and running the Cobalt Strike payload.

Summary of attack method 2 infection chain.

Stage 1 maldoc: DOTM template

When a victim opens the malicious document, Windows attempts to download a malicious remote DOTM template through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/ww.dotm," which was embedded in its relationship component of the file settings.xml.rels."

Contents of settings.xml.rels of maldoc.

Stage 2 VB script

The DOTM template contains a VBA macro that executes a function to decode an encoded data block of the macro to generate the PowerShell downloader script and execute it with the shell function.

Stage 2 VB script.

Stage 3 PowerShell downloader

The PowerShell downloader command downloads a 64-bit Windows executable and runs it as a process in the victim's machine.

Stage 3 PowerShell downloader.

Stage 4 downloader executable

The downloader is a 64-bit executable that runs as a process in the victim's environment. It executes the PowerShell command, which downloads the Cobalt Strike payload DLL through the URL "https[://]bitbucket[.]org/clouchfair/oneproject/downloads/strymon.png" to the userprofile local application temporary directory with a spoofed extension .png and sideloads the DLL using rundll32.exe.

Stage 4 downloader EXE.

The downloader also executes the ping command to the IP address 1[.]1[.]1[.]1 and executes the delete command to delete itself. The usage of ping command is to instill a delay before deleting the downloader.


Talos discovered that the final payload of this campaign is a Cobalt Strike beacon. Cobalt Strike is a modularised attack framework and is customizable. Threat actors can add or remove features according to their malicious intentions. Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections. Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain.

The Cobalt Strike beacon configurations of this campaign showed us various characteristics of the beacon binary:
  • C2 server.
  • Communication protocols.
  • Process injection techniques.
  • Malleable C2 Instructions.
  • Target process to spawn for x86 and x64 processes.
  • Watermark : "Xi54kA==".
Cobalt Strike beacon configuration sample.

The Cobalt Strike beacon used in this campaign has the following capabilities:
  • Executes arbitrary codes in the target processes through process injection. Target processes described in the beacon configuration related to this campaign include:
    "%windir%\syswow64\dllhost.exe -o enable"

    "%windir%\sysnative\getmac.exe /V"

  • A high-reputation domain defined in the HostHeader component of the beacon configuration. The actor is using this redirector technique to make the beacon traffic appear legitimate and avoid detection.

Malicious repository

The attacker in this campaign has hosted malicious DOTM templates and Cobalt Strike DLLs on Bitbucket using different accounts. We spotted two attacker-controlled accounts "atlasover" and "clouchfair" in this campaign: https[://]bitbucket[.]org/atlasover/atlassiancore/downloads and https[://]bitbucket[.]org/clouchfair/oneproject/downloads.

During our analysis, the account "atlasover" was live and showed us the hosting information of some of the malicious files in this campaign.

Attacker-controlled bitbucket repository.

Talos also discovered in VirusTotal that the attacker operated the Bitbucket account "clouchfair," using the account to host two other information stealer executables, Redline and Amadey, along with a malicious DOTM template and Cobalt Strike DLL.

Command and control

Talos discovered the C2 server operated in this campaign with the IP address 185[.]225[.]73[.]238 running on Ubuntu Linux version 18.04, located in the Netherlands and is a part of the Alibaba cloud infrastructure.

Shodan search results showed us that the C2 server contained two self-signed SSL certificates with the serial numbers 6532815796879806872 and 1657766544761773100, which are valid from July 14, 2022 - July 14, 2023.

SSL certificate associated with the C2 servers.

Pivoting on the SSL certificates disclosed another Cobalt Strike C2 server with the IP address 43[.]154[.]175[.]230 running on Ubuntu Linux version 18.04 located in Hong Kong, which is also part of Alibaba cloud infrastructure and more likely is operated by the same actor of this campaign.


Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort Rule 60600 is available for this threat.

The following ClamAV signatures have been released to detect this threat:


The IOC list is available in Talos' Github repo here.

  • There are no more articles