CobaltStrike Threat Group Threat Intelligence Advisory

February 3, 2021

•

min read

Advisory	Adversary Intelligence
Actors	CobaltStrike Group/Carbanak
Targeted System	Windows Infrastructure

Executive Summary

APTs carry out campaigns with a very high operational security. As a result, it is tedious to keep track of their activities. CloudSEK threat researchers have detected interesting patterns and changes in the way these actors are operating currently.

Prominent threat groups are forming alliances with other such actors to maximise the impact and profit. There are new attack vectors in the wild that are elusive in nature so as to not tip off any security solutions deployed in the target environment.

Activities

FIN7-RYUK Association

Based on the intelligence we were able to gather from various reliable sources, FIN7 attack infrastructure was used by a threat actor to gain initial access in an enterprise network that would later pave the way to a RYUK ransomware attack. The threat actor’s Tactics, Techniques, and Procedures (TTPs) and the use of CARBANAK RAT can be traced back to FIN7. This strengthens our assumption about the collaboration between FIN7 and WIZARD SPIDER/ FIN6 dubbed RYUK.

New Attack Vectors Exploited by CobaltStrike APTs

Vector A

Template injection with delayed payload execution & malleable Cobalt C2

CloudSEK Threat Intelligence team has observed a new attack vector employed by the actor to evade security by launching spear phishing attacks against targets. It weaponizes a Word document that is capable of staging the download of the Cobalt beacon via template injection. The adversary employs .NET assemblies to provide auxiliary functions that help in accomplishing the actor’s objectives.

Anadia Waleed resume.doc	259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621
Remote Template: indexa.dotm	7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2
Remote Template Url	https://yenile[.]asia/YOOMANHOWYOUDARE/
C2	time.updateeset[.]com
Ecmd.exe	aeb4c3ff5b5a62f5b7fcb1f958885f76795ee792c12244cee7e36d9050cfb298 dcaaffea947152eab6572ae61d7a3783e6137901662e6b5b5cad82bffb5d8995 5f49a47abc8e8d19bd5ed3625f28561ef584b1a226df09d45455fbf38c73a79c
cf.ini	0eba651e5d54bd5bb502327daef6979de7e3eb63ba518756f659f373aa5f4f8b
Cf.ini shell-code after decryption	5143c5d8715cfc1e70e9db00184592c6cfbb4b9312ee02739d098cf6bc83eff9
CobaltStrike downloaded shellcode	8cfd023f1aa40774a9b6ef3dbdfb75dea10eb7f601c308f8837920417f1ed702
CobaltStrike payload	7963ead16b6277e5b4fbd5d0b683593877d50a6ea7e64d2fc5def605eba1162a

Vector B

Image encoded Cobalt payload delivery

CloudSEK Threat Intelligence team has observed unusual delivery of the beacon encoded in a PNG image, hosted on the image hosting platform Imgur. When the embedded macros are executed, it launches a Powershell script which further downloads a second Powershell script which is then hosted on Github. The Powershell script then downloads an image (PNG) from the image hosted on Imgur, which is in turn an encoded CobaltStrike payload. After downloading the image the Powershell script decodes the payload which inturn enables the CobaltStrike beacon to connect to the attackers’ infrastructure.

File hash	d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
File hash	Ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
Domain:Port	Mazzion1234-44451[.]portmap[.]host:44451
URL	hxxp://Mazzion1234-44451.portmap.host/fVRO

Miscellaneous Intelligence on CobaltStrike Actors

A new ransomware strain known as CRING has been identified using the “Cobalt beacon” in their campaigns to carry out post exploitation and lateral movement phases of the kill chain.

CobaltStrike post

Hashes	38217fa569df8f93434959c1c798b29d
	8d156725c6ce172b59a8d3c92434c352
	8d1650e5e02cd1934d21ce57f6f1af34
	d8415a528df5eefcb3ed6f1a79746f40

Impact

As the Cobalt beacon is capable of using various tactics such as process injection methods to evade security systems and remain in the target environment undetected, even legitimate processes running on the target device can get infected.
Exfiltration of data and C2 communication can be hidden in innocent looking network traffic by utilising malleable C2 capabilities.

An attacker can integrate other popular frameworks like Metasploit/ Empire and Mimikatz to carry out post exploitation phases including lateral movement and privilege escalation.
The threat actor can gain control over the target OS leading to disk access with read/write/execute permissions.
An attacker can make changes to system services and registries which are crucial elements in any Windows system, to enable persistence.
CobaltStrike can stage a VNC server to control the victim remotely.
Integration with PowerShell gives the attacker easy means for further reconnaissance and post exploitation tactics like DLL loading to use custom programs made by attackers to further the attack.
Two factor authentication can be bypassed by using attack forms like Browser Pivot, to hijack a compromised user’s authenticated session and mimic the target.
Advanced tunnelling capabilities built into Cobalt let attackers perform pivoting into other segments of the network via compromised footholds.

Mitigation

Sandboxes should emulate named pipes to detect the presence of Cobalt shellcode as CobaltStrike hides shellcode over named pipes.
Very strict network traffic examination to detect Cobalt C2 communication. The challenge is that it is a malleable C2 system that can use any profile of legitimate applications dictated by the operator to evade security and detection. The security team should specifically focus on HTTPS traffic as it is the default channel for C2 communication.
Frequency analysis of network traffic helps in identifying bot traffic from human generated traffic as the latter one will not be uniform.
If the HOST header of the traffic does not match with that of the destination address, it is likely to be a malicious one.
Check the URI against various CobaltStrike URI Indicators of Compromise to confirm the presence of the Cobalt beacon.
Enforce the rule of “least privilege” to domain accounts to restrict a user from having more privilege than they need.
Effective utilisation of SIEM systems to monitor ingress and egress traffic.
Proper isolation and segmentation of the network to protect critical assets.
Security administrators need to implement effective vulnerability management programmes to roll out patches and keep the systems updated.
Make users aware of phishing campaigns and client-side attacks to save themselves from phishing attacks.

Tactics, Techniques and Procedures (CobaltStrike)

Tactics	Techniques
Initial Access	T1078.002	Domain Accounts
Initial Access	T1078.003	Local Accounts
Execution	T1059.001	PowerShell
	T1059.006	Python
	T1059.005	Visual Basic
	T1059.003	Windows Command Shell
	T1106	Native API
	T1569.002	Service Execution
	T1047	Windows Management Instrumentation
Persistence	T1197	BITS Jobs
	T1543.003	Windows Service
	T1078.002	Domain Accounts
	T1078.003	Local Accounts
Privilege Escalation	T1548.002	Bypass User Account Control
	T1134.003	Make and Impersonate Token
	T1134.004	Parent PID Spoofing
	T1134.001	Token Impersonation/Theft
	T1543.003	Windows Service
	T1068	Exploitation for Privilege Escalation
	T1055	Process Injection
	T1055.012	Process Hollowing
	T1078.002	Domain Accounts
	T1078.003	Local Accounts
Defense Evasion	T1548.002	Bypass User Account Control
	T1134.003	Make and Impersonate Token
	T1134.004	Parent PID Spoofing
	T1134.001	Token Impersonation/Theft
	T1197	BITS Jobs
	T1070.006	Timestomp
	T1027.005	Indicator Removal from Tools
	T1055	Process Injection
	T1055.012	Process Hollowing
	T1550.002	Pass the Hash
	T1078.002	Domain Accounts
	T1078.003	Local Accounts
Credential Access	T1056.001	Keylogging
Credential Access	T1003.002	Security Account Manager
Discovery	T1087.002	Domain Account
	T1046	Network Service Scanning
	T1135	Network Share Discovery
	T1057	Process Discovery
	T1018	Remote System Discovery
	T1016	System Network Configuration Discovery
Lateral Movement	T1021.003	Distributed Component Object Model
	T1021.001	Remote Desktop Protocol
	T1021.002	SMB/Windows Admin Shares
	T1021.004	SSH
	T1021.006	Windows Remote Management
	T1550.002	Pass the Hash
Collection	T1005	Data from Local System
	T1056.001	Keylogging
	T1185	Man in the Browser
	T1113	Screen Capture
Command and Control	T1071	Application Layer Protocol
	T1071.004	DNS
	T1071.001	Web Protocols
	T1572	Protocol Tunneling
	T1090.001	Internal Proxy
Exfiltration	T1029	Scheduled Transfer

Indicators of Compromise

hostname	qq.cattom.buzz
	ssl.getpostmessage.com
	windows.t0ky0.com
	www.jquery-corp.ga
	www.outlook.best
	ims.trust-update.com
	www.kwwwing.com
	update.netaphorb.com
	mce.chrovnm.com
	app.hikvision.buzz
	en.flsah.cc
	download.softupdate-online.top
	aaa.stage.5614538.google.gydha.club
	hello.fitcomn.com
	www.lazha.xyz
	gf.topservice-masters.com
	yt.service-hel.com
	aaa.stage.12915008.360bug.net
	aaa.stage.11965376.360bug.net
	awasdqqqwxza.ddnsfree.com
	test.praetorian-threat-hunt.com
	aaa.stage.10214756.bacs.cc
	www2.completelyinnocuousdomain.com
	update.checkavail.space
	code.jquerys.xyz
domain	yten.xyz
	repshd.com
	corpcostco.com
	amapai-technologies.site
	zbfgns.xyz
	iqio.net
	freesectest.ml
	junesdiophantine.com
	charismatic-guy.me
	usahack.xyz
	forteupdate.com
	amajai-technologies.network
	amajai-technologies.industries
	amajai-technologies.host
	microsofts.network
URL	hxxp://mc.moocraft.org/qscftyjmntyuioyrewdghjfdwsupvmatef/shellcode.txt
	hxxp://oa.life-tsinghua.com/cx
	hxxp://aws-downloads.certauthv2.id/__utm.gif

Tags:
‍

No items found.

Advisory

Actors

Targeted System

Hashes

Tactics

Techniques

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

hostname

domain

URL