A sophisticated malware campaign has emerged targeting financial and legal sectors in the Russian Federation, delivering the notorious Cobalt Strike remote access tool to organizations handling sensitive business transactions.
Security researchers have identified over twenty initial infection files involved in this multi-stage attack chain, revealing a well-orchestrated operation designed to remain hidden from traditional security systems.
The campaign, tracked as Operation FrostBeacon, uses deceptive phishing emails and weaponized attachments to compromise targets.
The threat actors craft messages revolving around contract payments, legal disputes, and debt collection to lure users into opening malicious files.
.webp "Operation FrostBeacon Attacking Finance and Legal Departments with Cobalt Strike Malware 2")
These lures exploit common business concerns in logistics, finance, and supply chain sectors where organizations rely heavily on contracts and payment processing.
The emails appear legitimate, often written in Russian and referencing typical business terminology that builds trust with victims.
.webp "Operation FrostBeacon Attacking Finance and Legal Departments with Cobalt Strike Malware 4")
Seqrite security analysts identified two distinct infection clusters operating in parallel, each following a separate path to deliver the same malware.
.webp "Operation FrostBeacon Attacking Finance and Legal Departments with Cobalt Strike Malware 5")
Both ultimately converge on deploying Cobalt Strike, a robust framework used by threat actors for remote control and command execution on compromised systems.
Multi-Stage Infection Mechanism and Detection Evasion
The first cluster operates through archive delivery, containing a malicious shortcut file disguised as a PDF.
When users open this file, it triggers hidden PowerShell commands that establish a connection to a remote server.
The second cluster uses Word documents exploiting legacy vulnerabilities, specifically CVE-2017-0199 for delivery and CVE-2017-11882 in the Equation Editor for execution.
Remarkably, both clusters redirect to an HTML Application (HTA) file that serves as the core execution component.
The real sophistication lies in the payload delivery. Once the HTA file executes, it reconstructs multiple Base64-encoded blocks into a gzip-compressed PowerShell script.
This script implements three layers of obfuscation designed to prevent detection. The first layer uses Gzip compression and Base64 encoding.
The second stage contains custom functions that dynamically resolve Windows application programming interfaces without writing any files to disk.
The final layer uses a Base64-encoded blob XOR-encrypted with the key 35, which decodes into raw shellcode executed in memory.
The decrypted shellcode functions as a Cobalt Strike Beacon loader, establishing communication with command-and-control servers masquerading as normal jQuery file downloads.
The malware uses sophisticated techniques, including NtMapViewOfSection for process injection and customized Cobalt Strike profiles that further obscure its presence.
Infrastructure analysis reveals Russian-controlled domains registered through local providers, with command-and-control traffic hidden within legitimate-appearing web requests.
This combination of techniques demonstrates a financially motivated threat group with deep technical knowledge of evasion methods.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
