Threat Research

PowerShell Script by Black Basta for Deploying a Cobalt Strike Beacon

Securonix

Black Basta abused built-in Windows tooling—notably PowerShell—to deliver a multi-layer obfuscated payload that decompresses, XOR-decrypts, and injects a Cobalt Strike beacon into memory, avoiding disk artifacts. The activity used the domain coridalelara[.]net resolving to 170.130.55.31 and was detected and analyzed by ThreatDown’s EDR/MDR team. #BlackBasta #PowerShell #CobaltStrike #coridalelara_net

Keypoints

  • Black Basta operators used PowerShell with -NoProfile, -WindowStyle hidden, and -EncodedCommand to run an obfuscated payload.
  • The payload included multiple obfuscation layers: Base64 encoding, GZip compression, and XOR encryption (key 35).
  • The script executed entirely in memory (fileless) by creating and using an IO.MemoryStream and Invoke-Expression to avoid disk traces.
  • Decoded content contained the domain coridalelara[.]net and IP 170.130.55.31, linked to a Cobalt Strike client beacon.
  • ThreatDown’s EDR flagged the script as suspicious and an MDR analyst unpacked the full chain to reveal the C2 beacon setup.

MITRE Techniques

  • [T1071] Command and Control – Uses Cobalt Strike beacons and C2 infrastructure to maintain communications (‘Cobalt Strike … is known for its ability to deploy beacons for command and control (C2) communications.’)
  • [T1059] Execution – Executes obfuscated PowerShell commands to run the payload (‘powershell -nop -w hidden -encodedcommand [base64-encoded string]’)
  • [T1027] Obfuscated Files or Information – Hides malicious code through base64, compression, and encryption (’rounds of base64 encoding, compression, and encryption to obscure a PowerShell script’)
  • [T1056] Fileless Malware – Loads and executes code in memory using a MemoryStream to avoid writing to disk (‘creates a stream of bytes in memory, rather than on disk’)
  • [T1040] Data Encrypted – Applies XOR encryption to conceal payload bytes before injection (‘The data in the string is further obscured using XOR encryption with a decimal key of 35.’)

Indicators of Compromise

  • [Domain] C2 domain used in the decoded byte array – coridalelara[.]net
  • [IP Address] Resolved C2 endpoint – 170.130.55.31 (blocked by vendors as a Cobalt Strike client)
  • [Encoded Command] Obfuscated PowerShell invocation – ‘powershell -nop -w hidden -encodedcommand [base64-encoded string]’
  • [User Agent Strings] Embedded in payload byte array – multiple browser user agents observed (used for C2/client identification)

Black Basta operators leveraged native Windows tools to blend into normal administrative activity and prepare a Cobalt Strike beacon for remote control. They launched a multilayered PowerShell payload: an initial Base64-encoded command launched PowerShell without profiles and in a hidden window, which decoded to GZip-compressed data and then to another Base64 string.

That inner payload created an IO.MemoryStream and used Invoke-Expression to decompress and execute entirely in memory. The actors then XOR-decrypted a byte array (key 35) that revealed a domain (coridalelara[.]net), browser user agents, and the IP 170.130.55.31 — indicators tied to a Cobalt Strike client used for C2.

The case shows how “living off the land” and fileless techniques let threat actors avoid simple disk-based detection and underscores the value of EDR telemetry plus skilled MDR analysis to unpack layered obfuscation and reveal attacker objectives before ransomware is deployed.

Read more: https://www.threatdown.com/blog/how-black-basta-used-powershell-to-set-up-a-cobalt-strike-beacon/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint