Malicious actors are trying to take advantage of the recent Kaseya VSA ransomware attack that affected hundreds of businesses ang organizations across the world. Researchers from the Malwarebytes Threat Intelligence team said they spotted a spam campaign deploying Cobalt Strike payloads masquerading as Kaseya VSA security updates.
Cobalt Strike is a post-exploitation penetration and security testing tool used for both legitimate and malicious purposes. According to Cisco Talos Incident Response (CTIR), 66% of all ransomware attacks detected in the third quarter of 2020 involved the Cobalt Strike framework, “suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans.”
Malwarebytes researchers said the new phishing campaign involves phishing emails containing “an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch the Kaseya vulnerability."
Once the victim runs the attachment or downloads the fake Microsoft update, Cobalt Strike is installed on the system, providing the threat actors persistent remote access to the targeted machine.
In a recent update regarding the Revil ransomware outbreak the US technology firm Kaseya said it found no evidence that the hackers tampered with the codebase of its VSA on-premises product. The company estimates that nearly 1,500 businesses have been affected by the ransomware attack.