Threat Advisory

RFQ Malware Campaign Delivers Multi Stage Cobalt Strike Payload

Threat: Malware Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY

This campaign uses a phishing email with a request for quotation theme to trick users into opening attached documents that appear related to business deals. The message is designed to look normal and targets roles that usually handle such requests, so it does not raise suspicion. The attached files look real but contain hidden content that starts a multi-step infection process. The same document structure is reused across samples which shows a repeated method. The attack chain is divided into multiple stages where each stage loads another component instead of delivering everything at once. This helps the attack avoid early detection. It also uses common file types and tools such as document files scripts and command tools so activity blends with normal system use.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY

This campaign uses a phishing email with a request for quotation theme to trick users into opening attached documents that appear related to business deals. The message is designed to look normal and targets roles that usually handle such requests, so it does not raise suspicion. The attached files look real but contain hidden content that starts a multi-step infection process. The same document structure is reused across samples which shows a repeated method. The attack chain is divided into multiple stages where each stage loads another component instead of delivering everything at once. This helps the attack avoid early detection. It also uses common file types and tools such as document files scripts and command tools so activity blends with normal system use.[emaillocker id="1283"]

The infection starts with a document that includes hidden content which is not visible to the user. This content carries encoded data that extracts and runs a script. The script removes extra characters to rebuild its real code and then runs system commands to continue the attack. It launches a command process that runs encoded instructions and avoids security checks by bypassing scanning steps. The script then connects to an external source and downloads a compressed file using a trusted file sharing service. Inside the file there is a full runtime setup along with scripts and an encrypted payload. The next stage uses multiple decoding steps such as base64 and other transformations to reveal the hidden payload. The payload is then decrypted and loaded directly into memory instead of being saved on disk. This makes detection harder as there is no clear file left behind. The same keys and patterns are reused across samples.

The campaign shows a strong use of staged execution and trusted tools to reduce detection and blend with normal activity. By spreading the attack across multiple steps and using built in system tools it avoids drawing attention. The use of memory-based loading also limits visible traces on the system. At the same time the campaign has some weak points due to repeated patterns across different samples. Reuse of keys similar file structures and common behavior allows linking of related samples and helps in detection. The use of public file sharing sources also creates a chance to track and block activity. Overall, the attack is effective in hiding its steps, but the repeated design makes it easier to identify once analyzed.

THREAT PROFILE:

Tactic Technique ID Technique Sub-Technique
Initial Access T1566.001 Phishing Spearphishing Attachment
Execution T1204.002 User Execution Malicious File
T1059.007 Command and Scripting Interpreter JavaScript
T1059.001 Command and Scripting Interpreter PowerShell
T1059.006 Command and Scripting Interpreter Python
T1218 System Binary Proxy Execution
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defense Evasion T1027 Obfuscated Files or Information
T1036 Masquerading
T1620 Reflective Code Loading
T1140 Deobfuscate/Decode Files or Information
Command and Control T1071.001 Application Layer Protocol Web Protocols
T1105 Ingress Tool Transfer

MBC MAPPING:

Objective Behaviour ID Behaviour
Initial Access B0021 Send Poisoned Text Message
Defense Evasion F0005 Hidden Files and Directories
E1027 Obfuscated Files or Information
E1055 Process Injection
B0013 Analysis Tool Discovery
Execution E1059 Command and Scripting Interpreter
Command and Control B0030 C2 Communication
C0002 HTTP Communication

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu