The recent targeted attacks exploiting the (at the time) zero-day remote code execution vulnerability (CVE-2021-40444) in Windows via booby-trapped Office documents have been delivering custom Cobalt Strike payloads, Microsoft and Microsoft-owned RiskIQ have shared.
The researchers also found connections between the attackers’ exploit delivery infrastructure and an infrastructure previously used by attackers to deliver human-operated ransomware, the Trickbot trojan and the BazaLoader backdoor/downloader.
The attacks and their possible goals
Judging by the email lures used in these attacks, some of the targets were application development organizations.
The targets would receive an email pointing to the exploit documents hosted on file-sharing sites which, once downloaded and opened, would retrieve a custom Cobalt Strike Beacon loader and loads it into the Microsoft Address Book Import Tool.
The exploit made sure that the target wouldn’t be asked to disable Protected Mode in Microsoft Office and that the payload is executed without any user interaction.
According to Microsoft, at least one organization that was compromised by the
Read the article