These fake US government job ads are spreading more malware

Cybercriminals are preying on job seekers in the United States and New Zealand to distribute Cobalt Strike beacons, but also other viruses and malware, as well. 

Researchers from Cisco Talos claim an unknown threat actor is sending out multiple phishing lures via email, assuming the identity of the US Office of Personnel Management (OPM), as well as the New Zealand Public Service Association (PSA).

The email invites the victim to download and run an attached Word document, claiming it holds more details about the job opportunity.

Remote code execution

The document is laced with macros which, if run, exploit a known vulnerability tracked as CVE-2017-0199, a remote code execution flaw fixed in April 2017. Running the macro results in Word downloading a document template from a Bitbucket repository. The template then executes a series of Visual Basic scripts which, consequently, downloads a DLL file called “newmodeler.dll”. That DLL is, in fact, a Cobalt Strike beacon.

There is also another, less complicated distribution method, in which the malware downloader is fetched directly from Bitbucket.

With the help of a Cobalt Strike beacon, the threat actors can remotely execute various commands on the compromised endpoint, steal data, and move laterally throughout the network, mapping it out and finding more sensitive data. 

The researchers claim the beacons communicate with a Ubuntu server, hosted by Alibaba, and based in the Netherlands. It contains two self-signed and valid SSL certificates.

Cisco did not name the threat actors behind this campaign, but there is one prominent name that’s been engaged in numerous fake job campaigns lately, and that’s Lazarus Group. 

The infamous North Korean state-sponsored threat actor has been targeting blockchain developers, artists working on non-fungible tokens (NFT), as well as aerospace experts and political journalists with fake jobs, stealing cryptocurrencies and valuable information. 

Via: BleepingComputer

Go to Source