A fake Kaseya patch has been discovered by Infoblox, with the patch designed to trick users into downloading the malware under the guise of fixing the recent Kaseya loopholes.
According to the Infoblox report, the malspam was designed to exploit concerns about Kaseya’s vulnerability, with the malware contained within the fake patch including Cobalt Strike. While Cobalt Strike is a genuine tool designed to test penetration, it is often abused by malicious actors.
“The company HelpSystems owns Cobalt Strike and sells it online. Cobalt Strike is a legitimate penetration-testing tool, but it is frequently abused by threat actors and used for malicious purposes. Cobalt Strike can log keystrokes, launch exploits for privilege escalation, connect to command and controls (C&Cs), and more,” the report read.
“The subjects of the emails distributed by the campaign are rather generic, such as ‘Package Delivery Status #’ or ‘Our Shipping Renewal 2021 INS’, which is followed by five to 10 seemingly random numbers, such as ‘2887437’. However, the bodies of the emails contain a spoofed conversation, where the most recent message says: ‘please install the update from Microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.’”
In order to maintain security, Infoblox recommends that all items downloaded are run through antivirus software, to verify that the sender is legitimate before opening attachments including by phone and be vigilant when clicking links on emails.