Unit 42 researchers detail malicious Cobalt Strike infrastructure that reuses Malleable C2 profiles copied from public repositories to control Beacon. The findings show attackers leveraging publicly available profiles to evade detection, underscoring the need for machine-learning defenses like ATP to counter highly evasive C2 traffic. #CobaltStrike #Beacon #MalleableC2 #ocsp.profile #Lenovo #DidierStevens
Keypoints
- Malicious Cobalt Strike Beacon samples leverage Malleable C2 profiles borrowed from a public repository (ocsp.profile).
- First sample uses GET to /ocsp/ with a User-Agent of Microsoft-CryptoAPI/7.0 and encodes victim metadata via NetBIOS in the HTTP URI.
- Second sample also based on the same ocsp.profile, but uses /download/ for GET and /pkg/a/ for POST, with User-Agent Microsoft-CryptoAPI/8.1.
- Third sample stagelessly uses the ocsp.profile but with a C2 domain containing a Lenovo-related FQDN, illustrating domain impersonation techniques.
- Attackers modify Malleable C2 profiles to evade detection, creating a detection arms race against network security solutions.
- Researchers advocate machine-learning-based defenses (e.g., ATP) as more effective against highly evasive C2 like Cobalt Strike than heuristic detections.
MITRE Techniques
- [T1071.001] Web Protocols – The Beacon C2 traffic uses HTTP GET/POST to fetch/return commands, e.g., “GET Request to get the command to execute” and “Post Request to return the command execution result.”
- [T1132] Data Encoding – Metadata of the victim is encoded using lowercase NetBIOS encoding and appended to the request URI, e.g., “NetBIOS encoding and appended to the request URI.”
- [T1036] Masquerading – The profile uses altered User-Agent strings (e.g., “Microsoft-CryptoAPI/7.0” replacing “6.1”) to blend with legitimate traffic. “User-Agent: Microsoft-CryptoAPI/7.0” is used.
- [T1055] Process Injection – Attackers load Beacon into memory through some other compromised process, as described: “load Beacon into memory through some other compromised process.”
- [T1105] Ingress Tool Transfer – Beacon samples are downloaded from Cobalt Strike servers, e.g., “We downloaded this Beacon sample from one of the Cobalt Strike servers discovered by our ATP solution.”
- [T1562.001] Impair Defenses – Detections based on traffic patterns are described as being of limited value, and attackers can modify profiles to create a detection arms race: “detections … are of limited value” and “attackers can trivially modify the Malleable C2 profile, creating a detection arms race.”
Indicators of Compromise
- [SHA256 Hash] – 1980becd2152f4c29dffbb9dc113524a78f8246d3ba57384caf1738142bb3a07, B587e215ce8c0b3a1525f136fe38bfdc0232300e1a4f7e651e5dc6e86313e941, and 38eeb82dbb5285ff6a2122a065cd1f820438b88a02057f4e31a1e1e5339feb2b.
- [Domains] – msupdate.azurefd[.]net, o365updater.azureedge[.]net, gupdater.bbtecno[.]com, teamsupd.azurewebsites[.]net, msdn1357.centralus.cloudapp.azure[.]com, cupdater.bbtecno[.]com, msupdate.brazilsouth.cloudapp.azure[.]com, msdn1357.centralus.cloudapp.azure[.]com, update37.eastus.cloudapp.azure[.]com, update.westus.cloudapp.azure[.]com, www.consumershop.lenovo.com.cn.d4e97cc6.cdnhwcggk22[.]com
- [IP] – 146.235.52[.]69, 159.112.177[.]137
Read more: https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/