[MART] - Daily Diary #301 - Malware Spam Campaign Piggybacking On Kaseya Attack

CTAS-MAT ctas-mat at appgate.com
Thu Jul 8 20:33:53 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

07/08/2021 - Diary entry #301:

On our Daily Diaries #297 and #298, we covered REvil (a.k.a Sodinokibi) attack on Kaseya systems. This attack got the group a lot of attention. They infected many computers through a supply-chain attack on Kaseya VSA, making the infected systems deploy their ransomware in all the connected clients. Now, it seems that another cybercrime gang is trying to piggyback on REvil's "success".

This week a new e-mail spam campaign showed up, using Kaseya attack as a decoy. The e-mail addresses Kaseya clients, asking for them to install an update on the systems to protect them against ransomware, by fixing a vulnerability in the product. The e-mail contains a download link, directing users to the download of a disguised Cobalt Strike beacon.

Cobalt Strike beacon is a post-exploitation tool, connecting to a C2 server to allow full control on the machine. We already covered Cobalt Strike in several of our Daily Diaries, including in the SolarWinds' attack, where the attackers deployed the beacon to steal data from the infected machines. A lot of infamous APT groups heavily used this tool, including Dridex and even REvil itself. It's not clear yet which cybercrime gang is behind this campaign.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210708/b27b8f81/attachment.html>


More information about the MART mailing list