As thousands of businesses struggle to recover after a ransomware attack on Kaseya VSA, threat actors are trying to monetize on the situation. They are pushing spam emails containing Cobalt Strike payloads disguised as Kaseya security updates, the Malwarebytes Threat Intelligence team reported.
The REvil ransomware gang hit Kaseya software provider last week and encrypted over 1,500 of its customers.
The goal of the phishing campaign reported by Malwarebytes is to harvest or exfiltrate sensitive data or deliver second-stage malware payloads.
Cobalt Strike is a penetration testing tool that is increasingly abused by attackers to perform post-exploitation tasks. It can also be used to deploy so-called beacons, which allow them to remotely access compromised systems.
“Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans,” Cisco Talos said in a September quarterly report.
In the malspam campaign, attackers use two different strategies to deploy the Cobalt Strike payloads. The malicious emails that appear in this campaign are sent with a malicious attachment. Also they contain an embedded link that looks like a Microsoft patch for the Kaseya VSA zero-day exploited by REvil.
“A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike,” the Malwarebytes Threat Intelligence team said. “It contains an attachment named ‘SecurityUpdates.exe’ as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!”
Once the target runs a malicious attachment or downloads a fake update, the attackers gain remote access to the targeted systems.
In a similar campaign, following the Colonial Pipeline attack a month ago, threat actors used fake systems updates to trick users into downloading malware.