SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers redirect government-controlled website to spread Cobalt Strike
Description: Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021. This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks. The malware is typically a loader that runs on a victim machine, decodes and executes the Cobalt Strike beacon DLL via reflective injection. It loads several libraries during the runtime and generates the beacon traffic according to the embedded configuration file. The configuration file contains the information related to the command and control (C2) server which instructs the victim's machine to send the initial DNS request attempting to connect to the host of the Myanmar government-owned domain www[.]mdn[.]gov[.]mm. The site is hosted behind the Cloudflare content delivery network and the actual C2 traffic is redirected to an attacker-controlled server test[.]softlemon[.]net based on the HTTP host header information specified in the beacon's configuration data.
References: https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
Title: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
Description: Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021. Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012. This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts. The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers. These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules. This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.
Reference: https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html