A malicious Cobalt Strike script campaign has been discovered that uses phishing emails, malicious macros, PowerShell, and steganography to take advantage of unsuspecting email recipients.

When the email first lands in an inbox it includes a legacy Word attachment (.doc) with a malicious macro that installs a PowerShell script from GitHub if it is permitted to run. That script then installs a PNG image file from the genuine image sharing service Imgur. The image includes hidden code within its pixels which can be executed with a single command to run the payload. In this instance, a Cobalt Strike script.

Cobalt Strike is a widely-implemented penetration testing tool. While it is used by security experts for legitimate security reasons, it is also of value to hackers. The tool premits beacons to be added to compromised devices which can be used to run PowerShell scripts, create web shells, escalate privileges, and provide remote access to devices. In this campaign, the hiding of the code in the image and the use of legitimate services such as Imgur and GitHub helps the hackers bypass detection.

The hiding of code within image files is known as steganography and has been implemented for many years as a way of hiding malicious code, usually in PNG files to prevent the code from being discovered. With this campaign the deception doesn’t finish there. The Cobalt Strike script includes an EICAR string that is aimed at tricking security solutions and security teams into labelling the malicious code as an antivirus payload, except contact is made with the hacker’s command and control server and instructions are recognized.

This campaign was discovered by expert ArkBird who compared the campaign to one conducted by an APT group known as Muddywater, which emerged around 2017. The threat group, aka Static kitten/Seedworm/Mercury, primarily carries out attacks on Middle eastern countries, commonly Saudi Arabia and Iraq, although the group has been known to conduct attacks on European and US targets. It is not known whether this group is to blame for the campaign.

Of course one of the most effective ways to prevent these types of attacks is by stopping the malicious email from being delivered to inboxes. A spam filter such as SpamTitan that incorporates a sandbox for reviewing attachments in safety will help to ensure that these messages do not get sent to inboxes. End user training is also recommended to ensure that employees are made aware that they should never enable macros in Word Documents sent using email.

A web filtering solution is also effective. Web filters like WebTitan can be set up to give IT teams full management over the web content that employees can access. Since GitHub is commonly used by IT expert and other workers for authentic reasons, a group-wide block on the site is not a wise move. Rather, a selective block can be implemented for groups of employees or departments that prevents GitHub and other possibly risky code sharing sites including PasteBin from being accessed, either deliberately or unintentionally, to provide an extra layer of security.