Security News > 2022 > September > Fake US govt job offers push Cobalt Strike in phishing attacks
A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims' devices.
The discovery comes from researchers at Cisco Talos who observed two different phishing lures, both targeting job seekers and leading to the deployment of Cobalt Strike.
Both attacks begin with a malicious email that presents the recipient with a lucrative job offer in the US federal government, supposedly sent from the US Office of Personnel Management.
The executable launches a PowerShell command that downloads the Cobalt Strike DLL to the %UserProfile%AppDataLocalTemp directory and then deletes itself.
With Cobalt Strike being one of the most widely used tools to gain initial access to corporate networks and spread laterally within one, we have seen an increase in phishing attacks distributing beacons over the past few years.
Last year, Emotet phishing attacks started dropping Cobalt Strike for the first time, and more recently, phishing attacks have targeted Russian dissidents and Ukrainian entities.
News URL
Related news
- Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian (source)
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Healthcare attacks spread beyond US – just ask India's Star Health (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)
- China again claims Volt Typhoon cyber-attack crew was invented by the US to discredit it (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- Phishing scams and malicious domains take center stage as the US election approaches (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)