A recent campaign drops Cobalt Strike Beacons, the RedLine Infostealer, and the Amadey Botnet with malicious scripts using two distinct methods.
Context
On September 28, 2022, Talos security researchers reported a campaign delivering Cobalt Strike beacons, the RedLine Infostealer, and Amadey botnet executables active since at least August 2022. Cobalt Strike is by far the most prevalent payload in the campaign, and Talos researchers assess that the beacons are intended for future use. The campaign leverages a multistage and modular infection chain using file-less malicious scripts. As of this writing, there is no available information on the targets of the campaign or the threat actors operating the campaign.
Community Impact
All three payloads dropped in the campaign (Cobal Strike, RedLine, and Amadey) are known threats to the retail, hospitality, and travel sectors.
Technical Details
Talos researchers note that the campaign uses phishing lures with malicious Word document attachments impersonating government organizations in the U.S. and a trade union in New Zealand. The malicious Word documents attempt to exploit CVE-2017-0199, a remote code execution issue in Microsoft Office.
Talos researchers reported two attack methodologies in the campaign:
- The downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts
- The malicious VB downloads and runs a Windows executable that executes malicious PowerShell commands to download and implant the payload.
Mitigation and Detection Options
Talos researchers provided the following ClamAV detection signatures:
- Win[.]Packed[.]Generic-9956955-0
- Win[.]Malware[.]CobaltStrike-9968593-1
- Win[.]Dropper[.]AgentTesla-9969002-0
- Win[.]Dropper[.]Swisyn-9969191-0
- Win[.]Trojan[.]Swisyn-9969193-0
- Win[.]Malware[.]RedlineStealer-9970633-0
IOCs
Talos researchers provided the following indicators of compromise (IOCs):
| Indicator | Type | Notes |
| 185[.]225[.]73[.]238 | IP Address | C2 Server |
| 43[.]154[.]175[.]230 | IP Address | C2 Server |
| https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/EmmaJardi[.]dotm | Domain | Stage 1 Malicious File Download |
| https[://]bitbucket[.]org/atlasover/atlassiancore/downloads/newmodeler[.]dll | Domain | Stage 5 PowerShell Downloader |
| https[://]bitbucket[.]org/clouchfair/oneproject/downloads/ww[.]dotm | Domain | Stage 1 Malicious File Download |
| https[://]bitbucket[.]org/clouchfair/oneproject/downloads/strymon[.]png | Domain | Stage 4 Payload Downloader |
| 6d9c595c51eb561ce0e7dc6594fc60702371d5e1ac97c4c1255def8e4084ef08 | SHA256 | |
| 15fdad64484543b204ca76537542b6cf42b4b6fb9856692c8bf691648d647d88 | SHA256 | |
| 72be84fe73565209958183176cb9abd44d8e6d862f234105ed5673c171de5991 | SHA256 | |
| 718e55af05f48101eac7fb07767dba56a26651f8ed14f1c88058e1902d3d9dd5 | SHA256 | |
| abafb5ae3f8d730acd06389320353631cbe5bc02064561851468301aa0ee9ce1 | SHA256 | |
| d7c23a85bbd337bdeba63ce50cd64fa56bd08ca5631b29211e0446c77eb69f9e | SHA256 | |
| fa53323173c272fee9626adffdb7d4336b299316b5dd9115fdb8674b94384d89 | SHA256 | |
| c6a948be6c714e8dcce8f0fc9c2dce8b3d1f22fee9246089dbbbe1046aed8c03 | SHA256 | |
| 0be8a6ef98747e0efd13917d93bf0999b728588b29f4e24d3ee23e26314a1a1a | SHA256 | |
| 254f866241e09be7d4d7490ce9c6347ed2c671d0eac4f9d3c67155c37de3af07 | SHA256 | |
| ec1e1d45162b92fbe2811c16da830186a558d4cd8af52620f37c440bbd763013 | SHA256 | |
| 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af | SHA256 |
