nomadcor.blogg.se - How to make cobalt strike beacon stealthy

How to make cobalt strike beacon stealthy archive#
How to make cobalt strike beacon stealthy software#
How to make cobalt strike beacon stealthy code#

The so-called "special operation" in Ukraine hasn't unfolded the way Kremlin had envisioned, and western sanctions manifested on a scale way beyond what was accounted for, so this campaign may be the result of the higher government ramping up its alertness against potential coups. The above organizations indicate that the phishing actors target individuals who hold key positions and could cause problems to the central government by instigating war-opposing movements.

Ministry of science and higher education of the Russian Federation.

Portal of the state and municipal service Moscow region.

Ministry of Education of the Irkutsk region.

Minister of Education and Science of the Republic of North Ossetia-Alania.

Ministry of Education of the Stavropol Territory.

ministry of education and science of the Republic of Altai.

Portal of authorities of the Chuvash Republic Official Internet portal.

The targets of this campaign work mainly in the Russian government and public agencies, including the following entities:

RTF file triggering the rendering engine exploit (Malwarebytes)Īs is to be expected, all of the phishing emails are written in Russian, and they seem to have been crafted by native speakers of the language and not machine translated, suggesting that the campaign is endeavor from a Russian-speaking actor.Īpart from Cobalt Strike, Malwarebytes also noticed parallel attempts to deploy a heavily obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities.

How to make cobalt strike beacon stealthy code#

The case of the RTFs is the most interesting due to involving the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents.

How to make cobalt strike beacon stealthy archive#

The threat actors use three different file types to infect their targets with Cobalt Strike, namely RTF (rich text format) files, archive attachments of documents laced with malicious documents, and download links embedded in the email body. The "Ministry of Information Technologies and Communications of the Russian Federation" and the "Ministry of Digital Development, Communications, and mass communications" are the primary two spoofed entities. The phishing emails pretend to be from a Russian state entity, a ministry, or a federal service, to entice recipients to open the attachment.

The campaign's discovery and subsequent reporting come from threat analysts at Malwarebytes Labs, who have managed to sample several of the bait emails. The messages come with a malicious attachment or link embedded in the body that is dropping a Cobalt Strike beacon to the recipient's system, enabling remote operators to conduct espionage on the target.

How to make cobalt strike beacon stealthy software#

The campaign targets government employees and public servants with emails warning of the software tools and online platforms that are forbidden in the country.

A new spear phishing campaign is taking place in Russia targeting dissenters with opposing views to those promoted by the state and national media about the war against Ukraine.