Security News > 2020 > December > GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
2020-12-28 06:57
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.
Word macro spins up PowerShell script hosted on GitHub.
Decoded script executes Cobalt Strike payload. The decoded script obtained from manipulating the PNG's pixel values is a Cobalt Strike script.
Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy "Beacons" on compromised devices to remotely "Create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system."
News URL
Related news
- Malicious Visual Studio projects on GitHub push Keyzetsu malware (source)
- Beware: GitHub's Fake Popularity Scam Tricking Developers into Downloading Malware (source)
- GitHub comments abused to push malware via Microsoft repo URLs (source)
- GitLab affected by GitHub-style CDN flaw allowing malware hosting (source)
- Using Legitimate GitHub URLs for Malware (source)