GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.
The malware strand which looks "like MuddyWater," according to the researcher, ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group. [...]
Click to expand...
Security researcher Florian Roth from Nextron Systems has additionally added the Indicators of Compromise (IOCs) associated with this malware to MuddyWater IOCs list, and provided YARA rules that can be used to detect the variant in your environment.
The IOCs associated with the macro-laden Word documents used in this campaign are given below:
  1. d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
  2. ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
Click to expand...
www.bleepingcomputer.com

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
  • +Reputation
Reactions: Venustus, tipo, upnorth and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
This PowerShell script is also completely dismantled by PowerShell Constrained Language Mode. The Add-Type and New-Object are restricted, so System.Drawing.Bitmap, Net.WebClient, and System.Text.Encoding will fail. :)(y)
 
  • Like
  • +Reputation
Reactions: ErzCrz, Venustus, tipo and 5 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland
Replies
0
Views
1,095
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike
Replies
0
Views
569
News Archive
silversurfer
silversurfer
silversurfer
    • Like
IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours
Replies
0
Views
430
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top