Cybercriminals are trying to take advantage of the critical situation relating to massive REvil ransomware attacks through the Kaseya MSP provider by sending to potential victims spam emails with a Cobalt Strike payload disguised as Kaseya VSA security updates.

The malspam campaign spotted by Malwarebytes Threat Intelligence researchers uses two different tactics to deploy the Cobalt Strike payloads. Attackers send emails to potential victims with a malicious attachment and an embedded link designed to look like a Microsoft patch for the Kaseya VSA zero-day vulnerability. When a victim runs the malicious attachment or downloads and launches the fake patch, attackers will gain persistent remote access to their computer.

Source: securitylab.ru