Recent reports by cybersecurity experts have uncovered a new phishing campaign that is using the ransomware assault on Colonial Pipeline as a context.

The malicious messages are targeted and designed to resemble urgent notices, with the aim of fooling recipients into downloading dangerous data files. Potential victims are instructed by the carefully crafted content to download a new system update promising to defend their network and devices from the latest strains of ransomware.

Cunningly created phishing messages

Threat operators have wasted no time following the Colonial Pipeline attack, with the newly devised phishing campaign unleashed only a matter of weeks after the incident. Cybersecurity researchers analysed the attack vector aimed at compromising systems that used the pen testing tool known as Cobalt Strike.

The bogus emails make use of the targeted attack on the major US fuel pipeline as an important example of the potentially devastating impact a ransomware assault can have on an enterprise or organisation.

The well-crafted content urges victims to quickly install a supposedly vital system update supplied by an external link. In doing so, recipients are informed that their system will be able to not only detect but also prevent newly created ransomware from harming their operations. In order to create a sense of urgency, the emails include an application deadline for recipients to take advantage of the update.

The threat actor behind the new campaign has used a selection of domains that could easily be mistaken for authentic ones, registered via Namecheap in late May. The researchers also uncovered that the domains were not only being employed for transmitting malicious emails but to also host bogus executables.

Additionally, in both instances, the dedicated download pages had been cleverly customised to include target enterprises’ imagery and logo so that they appeared more authentic and therefore more likely to be trusted.

Misuse of Cobalt Strike

In a recent blog post, the researchers confirmed that the malicious download was in fact Cobalt Strike, a specially designed piece of threat-emulating software that was originally developed for pen testing but is often misused by cybercriminals, particularly ransomware gangs. Towards the end of 2020, Cobalt Strike’s source code was leaked, making it more accessible to an extensive selection of threat actors. Luckily, in this specific campaign, the Cobalt Strike payload is detectable by numerous antivirus products on the current market.

The researchers commented on the attack:

“In this environment, phishers tried to exploit people’s anxiety, offering them a software update that would “fix” the problem via a highly targeted email that used design language that could plausibly be the recipient’s company’s own. All the recipients had to do was click the big blue button, and the malware would be injected”

Today’s threat operators using phishing tactics keep a sharp eye on the latest news to enhance their criminal campaigns with the most relevant lures. By including current events as a context for their content, they can increase the chance of a successful outcome for their insidious attacks.