Threat Research

Server-side attacks, C&C in public clouds and other MDR cases we observed

Securonix

Two MDR case studies show attackers leveraging public clouds for C2, memory-resident toolsets, and targeted server-side intrusions across Exchange and SQL Server. The report also details long-text payloads, custom loaders, and exfiltration techniques used to spy on victims and move data out via non-standard channels.
#CobaltStrike #CloudflareWorkers

Keypoints

  • Attackers used public cloud services (Cloudflare Workers) as C2 redirectors to hide command-and-control traffic.
  • Case #1 shows memory-resident toolsets (likely Cobalt Strike/Meterpreter) and attempts to dump LSASS memory with comsvcs.dll.
  • Web-based C2 communications were observed via HTTP(S) to a cloud URL (blue-rice-1d8e.dropboxonline.workers.dev).
  • Payloads were hidden in long text content, decoded from base64, and executed via a VBScript chain that mimics legitimate system scripts.
  • Case #2 covers MS SQL Server exploitation using obfuscated PowerShell and SQL Server Agent jobs for persistence and data access.
  • Server-side attacks include ProxyShell exploitation of Microsoft Exchange with multiple ASPX web shells created under the exchanger server frontend.
  • Exfiltration and data collection occurred via psexec-driven access, archiving with RAR, and custom network tools (s.exe) to transfer data to external endpoints.

MITRE Techniques

  • [T1588.002] Tool – Use of Cobalt Strike/Meterpreter-like toolsets; “A malicious payload was executed in the victim’s system and started communicating with the C&C server”.
  • [T1620] Reflective Code Loading – Payload migrated to the victim’s memory; “The malicious payload migrated to the victim’s memory”.
  • [T1059.001] PowerShell – Execution of PowerShell code; “Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression””.
  • [T1216.001] System Script Proxy Execution – Malicious payload executed via System Script proxy; “Process start”, “SyncAppvPublishingServer.vbs”.
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence via autostart entry; “Regex on autostart entry details”.
  • [T1204.002] Malicious File – Initial execution sequence from downloaded file; “From directory: C:Users…ExcelAnalyzer 3.4.3crackPatch.exe”.
  • [T1027] Obfuscated Files or Information – Payload contained Base64-encoded data; “02f4f239-0922-49fe-a338-c7460cb37d95.sys contained text; … Base-64-encoded payload”.
  • [T1140] Deobfuscate/Decode Files or Information – Payloads decoded from encoded content; “Deobfuscate/Decode” context appears in the detection narrative.
  • [T1560.001] Archive via Utility – Data collection via RAR archiving; “RAR archiver for data collection”.
  • [T1090.003 TR] Multi-hop Proxy / [T1595.002] Vulnerability Scanning – TOR-based scanning observed; “Reputation analysis showed the use of TOR network for scanning”.
  • [T1190] Exploit Public-Facing Application – ProxyShell/Exchange exploitation; “Exploitation attempt”.
  • [T1505.003] Web Shell – Web shells created via ASPX files on Exchange server.
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement and share access; “Inbound and outbound share access”.
  • [T1592] Gather Victim Host Information / [T1590] Gather Victim Network Information – Internal reconnaissance; “The attacker performed internal reconnaissance”.
  • [T1071.001] Web Protocols – C2 over HTTP/HTTPS; “The attacker’s C&C server”.
  • [T1571] Non-Standard Port – C2/Web traffic over non-standard port 53; “HTTP on the non-standard 53/TCP port”.
  • [T1497] Virtualization/Sandbox Evasion – Sandbox evasion techniques (HookSleep) observed in custom loaders.
  • [T1036.005] Match Legitimate Name or Location – Masquerading as ntuser.dat-like files; “ntuser.dat” deception.
  • [T1140] Deobfuscate/Decode Files or Information – Payload decoding steps observed in long text content.
  • [T1560.001] Archive via Utility – Data exfiltration via archiving with rar.exe.
  • [T1048.003] Exfiltration Over Unencrypted Non-C2 Protocol – Data exfiltration via non-C2 channels.

Indicators of Compromise

  • [URL] Cloudflare Workers/C2 – https://blue-rice-1d8e.dropboxonline.workers.dev/jquery/secrets/[random sequence], https://blue-rice-1d8e.dropboxonline.workers.dev/mails/images/[cut out]?_udpqjnvf=[cut out]
  • [Domain] C2 domain – counter.wmail-service.com (and related subdomains)
  • [IP] 31.192.234.60 – http://31.192.234.60:53/useintget (non-standard port used for C2)
  • [IP] 139.162.35.70 – http://139.162.35.70:53/micsoftgp (non-standard port)
  • [IP] 101.39.*.* – multiple hosts observed in C2/network activity (obfuscated in text)
  • [MD5] 106BC66F5A6E62B604D87FA73D70A708, 383D20DE8F94D12A6DED1E03F53C1E16, 6C62BEED54DE668234316FC05A5B2320, AE03B4C183EAA7A4289D8E3069582930, B83C9905F57045110C75A950A4EE56E4
  • [File] 02f4f239-0922-49fe-a338-c7460cb37d95.sys – Base64-encoded payload hidden inside the file
  • [File] ntuser.dat / ntusers.dat variants – shellcode embedded in similarly named files
  • [File] 01 816-s.rar / 0816-s.rar – archive used to exfil credentials, with remote execution via rar.exe
  • [Process] windnphd.exe, windpchsvc.exe, winpdasd.exe, s.exe – custom loaders/tools involved in payload extraction and execution

Read more: https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/107826/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint