Threat Research

PowerShell Loaders Deploy Cobalt Strike

Hunt.io
PowerShell Loaders Deploy Cobalt Strike

A PowerShell script named y1.ps1 was discovered in an open directory on a Chinese server, acting as a shellcode loader that executes malicious code in-memory and connects to Cobalt Strike infrastructure for post-exploitation activities. The script utilizes evasion techniques like API hashing and reflective DLL injection and communicates with command-and-control servers hosted mainly in China, Russia, and other global locations. #PowerShellLoader #CobaltStrike #BaiduCloud #BegetLLC

Keypoints

  • The PowerShell script y1.ps1 functions as a shellcode loader executing in memory to bypass disk-based detection techniques.
  • The script connects to a second-stage C2 server hosted on Baidu Cloud Function Compute for downloading additional payloads.
  • The shellcode uses API hashing and forged User-Agent strings to evade static and network detection methods.
  • The final payload communicates with a Cobalt Strike beacon located at IP 46.173.27.142 in Russia, confirmed by SSL certificate metadata.
  • Investigation revealed related infrastructure hosted across China, Russia, the United States, Singapore, and Hong Kong.
  • Reflective DLL injection is used to load the Cobalt Strike payload directly into memory without touching disk storage.
  • Indicators of compromise include multiple malicious PowerShell scripts, C2 IP addresses, domains, and SSL certificates issued by “cobaltstrike”.

MITRE Techniques

  • [T1059.001] PowerShell – Used as the loader script y1.ps1 to execute shellcode and initiate payload delivery (‘The PowerShell script y1.ps1 executes shellcode directly in memory’).
  • [T1218] Signed Binary Proxy Execution – Reflective DLL injection to load payloads entirely in memory (‘it implements a reflective DLL loading technique, which allows a DLL to be loaded directly from memory’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTPS to Baidu Cloud Function Compute (‘The shellcode initiates an HTTPS connection to its C2 server at y2n273y10j.cfc-execute.bj.baidubce.com’).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Use of forged User-Agent strings mimicking legitimate browsers (‘sets a forged User-Agent string: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)’).
  • [T1005] Data from Local System – Shellcode decrypts embedded payload in memory (‘decodes a Base64-encoded byte array, decrypts it with an XOR operation, and allocates executable memory’).
  • [T1070.004] Indicator Removal on Host: File Deletion – In-memory execution avoids writing to disk (‘executes shellcode directly in memory using reflective techniques, bypassing disk-based detection’).
  • [T1587.001] Develop Capabilities: Malware – Use of cracked Cobalt Strike beacons and loaders to evade detection and enable post-exploitation (‘linked the activity to known Cobalt Strike infrastructure and exposed part of a broader setup’).

Indicators of Compromise

  • [PowerShell Script] Malicious loaders identified – y1.ps1, with SHA-256 hashes including cdd757e92092b9a72dec0a7529219dd790226b82c69925c90e5d832955351b52 and others (total 10+ hashes).
  • [IP Address] Known Cobalt Strike C2 servers – 46.173.27.142 (Russia), 123.207.215.76 (China), 182.92.76.239 (China), 35.240.168.83 (Singapore), and multiple others across China, Russia, US, Singapore, Hong Kong.
  • [Domain] Baidu Cloud Function Compute C2 – y2n273y10j.cfc-execute.bj.baidubce.com used for second-stage payload delivery.
  • [SSL Certificate] Cobalt Strike issuer metadata – Certificates with Subject/Common Name “Major Cobalt Strike” and Issuer Organization “cobaltstrike”.

Read more: https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure