Cobalt Strike beacons are being deployed in a new malware campaign involving fraudulent job-themed lures, which was initially identified in August, reports The Hacker News.
Threat actors have been exploiting a Microsoft Office remote code execution vulnerability, tracked as CVE-2017-0199, to facilitate system takeovers, with phishing emails having a Word document containing employment opportunities in the U.S. government and New Zealand-based trade union Public Service Association being the initial attack vector, according to a Cisco Talos report. Such an attack then results in the delivery of a leaked Cobalt Strike beacon.
"The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic," said researchers. Redline Stealer and the Amadey botnet have also been used as the attack's other payloads.
"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory... Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain," researchers added.
Vulnerable Apache NiFi implementations are being targeted in new attacks deploying the Kinsing cryptomining malware, as indicated by the significant increase in HTTP requests for "/nifi" on May 19, according to The Hacker News.
Numerous fraudulent websites masquerading as legitimate software, including ChatGPT, Gimp, AstraChat, and Go To Meeting, have been used in a new RomCom malware campaign by Cuba ransomware affiliate Void Rabisu, also known as Tropical Scorpius, from December 2022 to April 2023, which was mostly targeted at Eastern Europe, according to BleepingComputer.