Threat Research

Detecting Popular Cobalt Strike Malleable C2 Profile Techniques

Securonix

Unit 42 researchers identified two internet-facing Cobalt Strike Team Server instances hosting Beacon implants and uncovered new Malleable C2 profiles not available in public repositories. The study explains evasion techniques that alter HTTP traffic and headers, disguise C2 activity behind benign-looking services, and deploy Cobalt Strike through cloud-hosted infrastructure. Hashtags: #CobaltStrike #Beacon #TeamServer #MalleableC2 #GitHub #PublicCloud

Keypoints

  • Two internet-facing Cobalt Strike Team Server instances were identified, hosting Beacon implants and C2 functionality.
  • Researchers extracted Malleable C2 profile configurations from Beacon binaries to understand evasive techniques.
  • Attackers concealed C2 infrastructure behind benign services and public cloud providers to evade detection.
  • New Malleable C2 profiles were deployed to bypass signature-based detections.
  • Case analyses show the use of brand-new profiles and hiding behind known-good services (including forged HTTP headers and benign domains).
  • Defenses include PA signatures, WildFire, Cortex XDR, XSOAR automation, and updated URL filtering to block associated traffic.

MITRE Techniques

  • [T1071.001] Web Protocols – The article shows C2 traffic via HTTP GET/POST with encoded data and custom headers. ‘The encrypted and encoded data in the GET transaction is placed in a Cookie Parameter SESSIONID. The ID in the POST transaction is added to the custom header User.’
  • [T1132] Data Encoding – The C2 traffic uses encoding/encoding steps, including ‘double encoded using Mask and NetBIOSU’ and base64-like obfuscation as noted in the profile.
  • [T1036] Masquerading – Attackers modify HTTP traffic to resemble benign sites by ‘modifying HTTP URLs, header parameters and host headers with harmless and widely recognized domains’ and by hosting profiles on known platforms like GitHub.
  • [T1583.003] Acquire Infrastructure – Cloud Service – Threat actors use public cloud infrastructure to host Team Server IPs, making attribution and detection harder; ‘The Team Server IP belongs to a prominent cloud provider.’

Indicators of Compromise

  • [SHA-256] CS Beacon Samples – 22631d171fd7d531c0bc083a5335a910a95257e3194b50d8b471740d3a91fe34, 3528313aeff15375a2bce7b7587b188dcf1befb1e50c9db65d46e81a77a4a096, and 1 more hash
  • [IP Address] CS Team Server IP Addresses – 23.95.44[.]80:80, 159.65.219[.]189:443, and 1 more 35.224.140[.]15:443

Read more: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint