16/11/2019
New Hacking Group Using Metasploit To Install Backdoor Malware On Windows By Exploiting MS Office.
Researchers detect a wave of malware campaigns from a new hacking group named TA2101 that targeting various organizations in German and Italy to deploy the backdoor malware in their network.
Threat actors from this new hacking group using legitimate and licensed pe*******on testing tools and backdoor framework such as Cobalt Strike and Metasploit to perform the post-exploitation operation.
These kinds of tools and frameworks are legitimately used by an organization to find out the vulnerabilities and secure their environment, at the same time cybercriminals group such as Cobalt Group, APT32, and APT19 taking advantage of the features and used it to deploy the malware.
Attackers initiate these campaigns focused on phishing and increasingly sophisticated social engineering, as well as banking Trojans and ransomware.
Researchers observed that this New Hacking Group also distributing Maze ransomware to attack Italy based company’s infrastructure by employing an advanced social engineering technique and impersonate the Italian revenue agency.
Exploiting Windows via Malicious Word Docs
Proofpoint researchers observed this campaign from October 16 until November 12, 2019, the collected samples provide a clear indication about the targets, and how they are sending malicious email messages to organizations in Germany, Italy, United States to attack business and IT services, manufacturing, and healthcare.
Among the several samples that were delivered via malspam emails, most of the email attachment contains weaponized word documents.
Email body content tempts victims to open the attachment that leads to executing the macro and turn it on to execute the PowerShell script.
The obfuscated Powershell script eventually downloads and installs the Maze ransomware from the command & control server and drops into the victim’s device.