A malware delivery campaign has been identified that uses phishing emails, malicious macros, PowerShell, and steganography to deliver a malicious Cobalt Strike script.

web protection

The initial phishing emails contain a legacy Word attachment (.doc) with a malicious macro that downloads a PowerShell script from GitHub if allowed to run. That script in turn downloads a PNG image file from the legitimate image sharing service Imgur. The image contains hidden code within its pixels which can be executed with a single command to execute the payload. In this case, a Cobalt Strike script.

Cobalt Strike is a commonly used penetration testing tool. While it is used by security professionals for legitimate security purposes, it is also of value to hackers. The tool allows beacons to be added to compromised devices which can be used to execute PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the attackers avoid detection.

The hiding of code within image files is known as steganography and has been used for many years as a way of hiding malicious code, typically in PNG files to prevent the code from being detected. With this campaign the deception doesn’t end there. The Cobalt Strike script includes an EICAR string that is intended to fool security solutions and security teams into classing the malicious code as an antivirus payload, except contact is made with the attacker’s command and control server and instructions are received.

This campaign was identified by researcher ArkBird who likened the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily conducts attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is unclear whether this group is responsible for the campaign.

Naturally one of the best ways to block these types of attacks is by preventing the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for analyzing attachments in safety will help to ensure that these messages do not get delivered to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent via email.

A web filtering solution is also beneficial. Web filters such as WebTitan can be configured to give IT teams control over the web content that employees can access. Since GitHub is commonly used by IT professionals and other employees for legitimate purposes, an organization-wide block on the site is not recommended. Instead, a selective block can be placed for groups of employees or departments that prevents GitHub and other potentially risky code sharing sites such as PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of protection.