Geeks for your information
Fake Kaseya VSA Security Update Drops Cobalt Strike - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: News (https://www.geeks.fyi/forumdisplay.php?fid=105)
+--- Forum: Privacy & Security News (https://www.geeks.fyi/forumdisplay.php?fid=107)
+--- Thread: Fake Kaseya VSA Security Update Drops Cobalt Strike (/showthread.php?tid=15551)



Fake Kaseya VSA Security Update Drops Cobalt Strike - silversurfer - 08 July 21

Quote:A malware spam campaign is milking the Kaseya ransomware attacks against its Virtual System/Server Administrator (VSA) platform to spread a link pretending to be a Microsoft security update, along with an executable file that’s dropping Cobalt Strike, researchers warn.
 
On Tuesday night, Malwarebytes Threat Intelligence tweeted a screen capture of the boobytrapped email, which included an attachment named “SecurityUpdates.exe” and a message urging recipients to “install the update fro= microsoft to protect against ransomware as soon as possible. This is fi=ing a vulnerability in Kaseya.”

The attackers are looking to gain persistent remote access to the systems of targeted victims who fall for the ploy and run the malicious executable, or download and launch the fake Microsoft security update, on their devices.

Jerome Segura, a lead malware intelligence analyst at Malwarebytes, told Threatpost that so far, this is the first attack that’s been spotted piggybacking on the Kaseya attack.

While Malwarebytes hasn’t determined what threat actors are behind the Kaseya-themed malspam campaign, Segura said that the fake security update – the Cobalt Strike payload – is, interestingly enough, hosted on the same IP address used for another campaign pushing the Dridex banking trojan.

“In the past we’ve seen the same threat actor behind Dridex using Cobalt Strike,” Segura said via email.

Read more: Fake Kaseya VSA Security Update Drops Cobalt Strike | Threatpost