Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.

Malicious emails sent as part of this campaign come with a malicious attachment and an embedded link designed to look like a Microsoft patch for the Kaseya VSA zero-day exploited in the REvil ransomware attack.

“It contains an attachment named ‘SecurityUpdates.exe’ as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!”

The attackers gain persistent remote access to the targets systems once they run the malicious attachment or download and launch the fake Microsoft update on their devices.

Kaseya phishing

REvil ransomware attack that hit the Kaseya MSP software provider and approximately 60 out of 35,000 of their direct customers and 1,500 out of 1,000,000 downstream businesses makes for a perfect lure theme.

Kaseya says that it failed to deploy a fix for the VSA zero-day exploited by REvil, many of its customers might fall for this pishing campaign’s tricks in their effort to protect their networks from attacks.