Saturday, 17 July 2021

Beware! – Kaseya-themed Malware Scam -Fake Kaseya VSA Security Update Drops Cobalt Strike



Notorious hacking group REvil was behind the attack, which exploited vulnerabilities in Kaseya's VSA software to distribute ransomware.

While the investigation takes place, A phishing campaign that claims to offer a security update for Kaseya’s VSA software is actually attempting to install deploying malware to infect computers with Cobalt Strike-delivered malware.

Kaseya has urged customers to be aware of a wave of phishing emails taking advantage of the disruption caused by a recent ransomware attack.

The fake email urge recipients to download and execute an attachment called “SecurityUpdates.exe” as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability.


(Source: Malwarebytes)

However, the attachment, is actually a Cobalt Strike package. Also once users click the URL, they are redirected to some other server [45[.]153[.]241[.]113/download/pload.exe] where the malicious file exists.

Researchers added that with the use of Cobalt Strike, hackers intend to also gain access to already-compromised systems, possibly for further reconnaissance or to conduct a local, follow-up attack.

Individuals may receive an email that looks like a security update from Microsoft.Phishing prevention requires constant vigilance. As per usual best practices :

IOCs for Spam Campaign:

File:

SHA1: 7B6621202AC7795E89891B7BD65E769BA6C267C5

Network:

hxxp://45[.]153[.]241[.]113/download/pload[.]exe

hxxp://31[.]42[.]177[.]52/dpixel

hxxp://31[.]42[.]177[.]52/submit.php