Advisory |
Adversary Intelligence |
Actors |
CobaltStrike Group/Carbanak |
Targeted System |
Windows Infrastructure |
APTs carry out campaigns with a very high operational security. As a result, it is tedious to keep track of their activities. CloudSEK threat researchers have detected interesting patterns and changes in the way these actors are operating currently.
Prominent threat groups are forming alliances with other such actors to maximise the impact and profit. There are new attack vectors in the wild that are elusive in nature so as to not tip off any security solutions deployed in the target environment.
Based on the intelligence we were able to gather from various reliable sources, FIN7 attack infrastructure was used by a threat actor to gain initial access in an enterprise network that would later pave the way to a RYUK ransomware attack. The threat actor’s Tactics, Techniques, and Procedures (TTPs) and the use of CARBANAK RAT can be traced back to FIN7. This strengthens our assumption about the collaboration between FIN7 and WIZARD SPIDER/ FIN6 dubbed RYUK.
Template injection with delayed payload execution & malleable Cobalt C2
CloudSEK Threat Intelligence team has observed a new attack vector employed by the actor to evade security by launching spear phishing attacks against targets. It weaponizes a Word document that is capable of staging the download of the Cobalt beacon via template injection. The adversary employs .NET assemblies to provide auxiliary functions that help in accomplishing the actor’s objectives.
Anadia Waleed resume.doc | 259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621 |
Remote Template: indexa.dotm | 7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2 |
Remote Template Url | https://yenile[.]asia/YOOMANHOWYOUDARE/ |
C2 | time.updateeset[.]com |
Ecmd.exe | aeb4c3ff5b5a62f5b7fcb1f958885f76795ee792c12244cee7e36d9050cfb298
dcaaffea947152eab6572ae61d7a3783e6137901662e6b5b5cad82bffb5d8995 5f49a47abc8e8d19bd5ed3625f28561ef584b1a226df09d45455fbf38c73a79c |
cf.ini | 0eba651e5d54bd5bb502327daef6979de7e3eb63ba518756f659f373aa5f4f8b |
Cf.ini shell-code after decryption | 5143c5d8715cfc1e70e9db00184592c6cfbb4b9312ee02739d098cf6bc83eff9 |
CobaltStrike downloaded shellcode | 8cfd023f1aa40774a9b6ef3dbdfb75dea10eb7f601c308f8837920417f1ed702 |
CobaltStrike payload | 7963ead16b6277e5b4fbd5d0b683593877d50a6ea7e64d2fc5def605eba1162a |
Image encoded Cobalt payload delivery
CloudSEK Threat Intelligence team has observed unusual delivery of the beacon encoded in a PNG image, hosted on the image hosting platform Imgur. When the embedded macros are executed, it launches a Powershell script which further downloads a second Powershell script which is then hosted on Github. The Powershell script then downloads an image (PNG) from the image hosted on Imgur, which is in turn an encoded CobaltStrike payload. After downloading the image the Powershell script decodes the payload which inturn enables the CobaltStrike beacon to connect to the attackers’ infrastructure.
File hash | d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81 |
Ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866 | |
Domain:Port | Mazzion1234-44451[.]portmap[.]host:44451 |
URL | hxxp://Mazzion1234-44451.portmap.host/fVRO |
A new ransomware strain known as CRING has been identified using the “Cobalt beacon” in their campaigns to carry out post exploitation and lateral movement phases of the kill chain.
Hashes |
38217fa569df8f93434959c1c798b29d |
8d156725c6ce172b59a8d3c92434c352 | |
8d1650e5e02cd1934d21ce57f6f1af34 | |
d8415a528df5eefcb3ed6f1a79746f40 |
Tactics |
Techniques |
|
Initial Access |
T1078.002 | Domain Accounts |
T1078.003 | Local Accounts | |
Execution |
T1059.001 | PowerShell |
T1059.006 | Python | |
T1059.005 | Visual Basic | |
T1059.003 | Windows Command Shell | |
T1106 | Native API | |
T1569.002 | Service Execution | |
T1047 | Windows Management Instrumentation | |
Persistence |
T1197 | BITS Jobs |
T1543.003 | Windows Service | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Privilege Escalation |
T1548.002 | Bypass User Account Control |
T1134.003 | Make and Impersonate Token | |
T1134.004 | Parent PID Spoofing | |
T1134.001 | Token Impersonation/Theft | |
T1543.003 | Windows Service | |
T1068 | Exploitation for Privilege Escalation | |
T1055 | Process Injection | |
T1055.012 | Process Hollowing | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Defense Evasion |
T1548.002 | Bypass User Account Control |
T1134.003 | Make and Impersonate Token | |
T1134.004 | Parent PID Spoofing | |
T1134.001 | Token Impersonation/Theft | |
T1197 | BITS Jobs | |
T1070.006 | Timestomp | |
T1027.005 | Indicator Removal from Tools | |
T1055 | Process Injection | |
T1055.012 | Process Hollowing | |
T1550.002 | Pass the Hash | |
T1078.002 | Domain Accounts | |
T1078.003 | Local Accounts | |
Credential Access |
T1056.001 | Keylogging |
T1003.002 | Security Account Manager | |
Discovery |
T1087.002 | Domain Account |
T1046 | Network Service Scanning | |
T1135 | Network Share Discovery | |
T1057 | Process Discovery | |
T1018 | Remote System Discovery | |
T1016 | System Network Configuration Discovery | |
Lateral Movement |
T1021.003 | Distributed Component Object Model |
T1021.001 | Remote Desktop Protocol | |
T1021.002 | SMB/Windows Admin Shares | |
T1021.004 | SSH | |
T1021.006 | Windows Remote Management | |
T1550.002 | Pass the Hash | |
Collection |
T1005 | Data from Local System |
T1056.001 | Keylogging | |
T1185 | Man in the Browser | |
T1113 | Screen Capture | |
Command and Control |
T1071 | Application Layer Protocol |
T1071.004 | DNS | |
T1071.001 | Web Protocols | |
T1572 | Protocol Tunneling | |
T1090.001 | Internal Proxy | |
Exfiltration |
T1029 | Scheduled Transfer |
hostname |
qq.cattom.buzz |
ssl.getpostmessage.com | |
windows.t0ky0.com | |
www.jquery-corp.ga | |
www.outlook.best | |
ims.trust-update.com | |
www.kwwwing.com | |
update.netaphorb.com | |
mce.chrovnm.com | |
app.hikvision.buzz | |
en.flsah.cc | |
download.softupdate-online.top | |
aaa.stage.5614538.google.gydha.club | |
hello.fitcomn.com | |
www.lazha.xyz | |
gf.topservice-masters.com | |
yt.service-hel.com | |
aaa.stage.12915008.360bug.net | |
aaa.stage.11965376.360bug.net | |
awasdqqqwxza.ddnsfree.com | |
test.praetorian-threat-hunt.com | |
aaa.stage.10214756.bacs.cc | |
www2.completelyinnocuousdomain.com | |
update.checkavail.space | |
code.jquerys.xyz | |
domain |
yten.xyz |
repshd.com | |
corpcostco.com | |
amapai-technologies.site | |
zbfgns.xyz | |
iqio.net | |
freesectest.ml | |
junesdiophantine.com | |
charismatic-guy.me | |
usahack.xyz | |
forteupdate.com | |
amajai-technologies.network | |
amajai-technologies.industries | |
amajai-technologies.host | |
microsofts.network | |
URL |
hxxp://mc.moocraft.org/qscftyjmntyuioyrewdghjfdwsupvmatef/shellcode.txt |
hxxp://oa.life-tsinghua.com/cx | |
hxxp://aws-downloads.certauthv2.id/__utm.gif |