Threat Research

Cobalt Strike Beacon Via Sophos Phishing Website – Cyble

Securonix

Cyble CRIL identified a typosquatted Sophos domain (sopbos[.]com) that hosts an auto-downloading malware chain leading to a Cobalt Strike beacon. The dropper executes embedded PowerShell via a runspace to establish a reverse TCP connection to a hex-encoded C2 address. #CobaltStrike #Sophos #PowerShell #Runspace

Keypoints

  • Cyble CRIL found a typosquatted Sophos domain impersonating Sophos Home to lure victims.
  • The phishing site auto-downloads a malicious payload without requiring user interaction.
  • A malicious .NET loader contains an embedded PowerShell script executed in a runspace.
  • The final payload delivers a Cobalt Strike beacon that opens a reverse TCP shell.
  • The PowerShell chain uses Base64 encoding, AES decryption, and decompression (Deflate/Gzip) with subsequent Invoke-Expression.

MITRE Techniques

  • [T1566] Phishing – Brief description of how it was used. Quote relevant content using bracket (β€˜This malware reaches users via phishing sites.’)
  • [T1204] User Execution – Brief description of how it was used. Quote relevant content using bracket (β€˜The user needs to manually execute the malicious file downloaded from the phishing site.’)
  • [T1059] Command and Scripting Interpreter – Brief description of how it was used. Quote relevant content using bracket (β€˜PowerShell scripts are used to execute the Cobalt Strike beacon.’)
  • [T1202] Indirect Command Execution – Brief description of how it was used. Quote relevant content using bracket (β€˜PowerShell commands are executed using a malicious executable.’)
  • [T1036] Masquerading – Brief description of how it was used. Quote relevant content using bracket (β€˜The downloaded file is disguised as a Sophos installer.’)
  • [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote relevant content using bracket (β€˜PowerShell scripts are deobfuscated and decoded to get the Cobalt Strike beacon.’)
  • [T1095] Non-Application Layer Protocol – Brief description of how it was used. Quote relevant content using bracket (β€˜TCP is used by the Cobalt Strike beacon to interact with the C&C server.’)

Indicators of Compromise

  • [Domain] Phishing Site – sopbos[.]com
  • [IP] C2 – 98[.]71.232[.]223
  • [MD5] File – c974ffe23d57ec909ef26b55f202047e
  • [SHA1] File – ec6da5616d6b3b3269fababe104bfe04f2828717
  • [SHA256] File – 067c95ad074afd8993281b02f74d0f257fb312943da0887355da652afb54c0ab
  • [File Name] – SophosInstall..exe

Read more: https://cyble.com/blog/covert-delivery-of-cobalt-strike-beacon-via-sophos-phishing-website/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint