October 10, 2022  — 
Eric Swotinsky

Phishing campaign uses fake government job offers as lure

Researchers discovered a new phishing campaign targeting U.S. and New Zealand job seekers. Victims receive emails supposedly presenting them with a lucrative job offer, but which actually contain malicious files.

In some cases, the opening of the document triggers the exploit and leads to the downloading of a Word document hosted on a Bitbucket repository. In other cases, Cobalt Strike beacons are installed for remote access to victims' devices. The Cobalt Strike beacon enables threat actors to execute commands remotely on the infected device, allowing them to steal data or spread laterally through the compromised network.

This campaign unfolds in several stages, with most steps relying on executing obfuscated scripts from the host's memory and abusing the Bitbucket code hosting service to evade detection.

The multi-layered detection included in Acronis Cyber Protect Cloud identifies and blocks even never-before-seen forms of malware from executing, while the optional Advanced Email Security add-on prevents such malicious messages from ever reaching users' inboxes.