Notorious hacking group REvil was behind the attack, which exploited vulnerabilities in Kaseya's VSA software to distribute ransomware.
While the investigation takes place, A phishing campaign that claims to offer a security update for Kaseya’s VSA software is actually attempting to install deploying malware to infect computers with Cobalt Strike-delivered malware.
Kaseya has urged customers to be aware of a wave of phishing emails taking advantage of the disruption caused by a recent ransomware attack.
The fake email urge recipients to download and execute an attachment called “SecurityUpdates.exe” as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability.
(Source: Malwarebytes)
However, the attachment, is actually a Cobalt Strike package. Also once users click the URL, they are redirected to some other server [45[.]153[.]241[.]113/download/pload.exe] where the malicious file exists.
Researchers added that with the use of Cobalt Strike, hackers intend to also gain access to already-compromised systems, possibly for further reconnaissance or to conduct a local, follow-up attack.
Individuals may receive an email that looks like a security update from Microsoft.Phishing prevention requires constant vigilance. As per usual best practices :
IOCs for Spam Campaign:
File:
SHA1: 7B6621202AC7795E89891B7BD65E769BA6C267C5
Network:
hxxp://45[.]153[.]241[.]113/download/pload[.]exe
hxxp://31[.]42[.]177[.]52/dpixel
hxxp://31[.]42[.]177[.]52/submit.php
