Cybercriminals are preying on job seekers in the United States and New Zealand to distribute Cobalt Strike beacons, but also other viruses and malware, as well.
Researchers from Cisco Talos claim an unknown threat actor is sending out multiple phishing lures via email, assuming the identity of the US Office of Personnel Management (OPM), as well as the New Zealand Public Service Association (PSA).
The email invites the victim to download and run an attached Word document, claiming it holds more details about the job opportunity.
Remote code execution
The document is laced with macros which, if run, exploit a known vulnerability tracked as CVE-2017-0199, a remote code execution flaw fixed in April 2017. Running the macro results in Word downloading a document template from a Bitbucket repository. The template then executes a series of Visual Basic scripts which, consequently, downloads a DLL file called "newmodeler.dll". That DLL is, in fact, a Cobalt Strike beacon.
There is also another, less complicated distribution method, in which the malware downloader is fetched directly from Bitbucket.
With the help of a Cobalt Strike beacon, the threat actors can remotely execute various commands on the compromised endpoint, steal data, and move laterally throughout the network, mapping it out and finding more sensitive data.
The researchers claim the beacons communicate with a Ubuntu server, hosted by Alibaba, and based in the Netherlands. It contains two self-signed and valid SSL certificates.
Cisco did not name the threat actors behind this campaign, but there is one prominent name that’s been engaged in numerous fake job campaigns lately, and that’s Lazarus Group.
The infamous North Korean state-sponsored threat actor has been targeting blockchain developers, artists working on non-fungible tokens (NFT), as well as aerospace experts and political journalists with fake jobs, stealing cryptocurrencies and valuable information.
- Here's our rundown of the best endpoint protection tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.