Fake coupon downloads Cobalt Strike to take control of your system


With the holiday shopping season in full swing, cybercriminals are taking advantage of the fact that consumers are expected to shop for great deals over the next few weeks. During this Cyber sales week, the SonicWall Capture Labs Threat Research Team has spotted a specially crafted document file pretending to be a coupon that will save you big bucks on all items with major online retailers like amazon, ebay and aliexpress. In this infection, multiple levels of scripts are being executed and downloaded to carry on the full attack.

Infection cycle:

The file arrives as a document file.

The text on the file asks the user to click on the image to access a coupon. Doing so, will launch a VBScript file named “Coupon code .vbs”

This script checks if it is being executed in a virtual environment and will terminate. It then spawns schtasks.exe to add a scheduled task named “GooleServices_updaters.”

The scheduled task tries to visit a page on pastebin every hour using mshta.exe, a Microsoft windows file used to launch html applications. This page contains another powershell script.

This powershell script, launches another instance of powershell which then downloads a Cobalt Strike client.

The downloaded Cobalt Stike file has the eicar test file string appended to it possibly in an attempt to throw off malware detection.

Cobalt Strike is a threat emulation software designed for penetration testers and from here, the attacker can then take control of the victim’s machine and penetrate the network by intiating a wide array of commands. Thus, it has become popular with malware authors as well.

Because of the prevalance of these types of malware attacks specially during the holiday season, we urge our users to always be vigilant and cautious with any unsolicited email with unsuspecting document attachments, particularly if you are not certain of the source.

Sonicwall Capture Labs provide protection against this threat with the following signature:

  • GAV: Coupon.VBS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.