Cobalt Strike is being distributed to unsecured MS-SQL servers, leveraging brute force, dictionary attacks, and command execution to deploy a memory-based beacon. The campaign overlaps with other malware like Lemon Duck, Kingminer, and Vollgar that abuse port 1433 for scanning and lateral movement within Windows environments. #CobaltStrike #LemonDuck
Keypoints
- The ASEC analysis team observed the distribution of Cobalt Strike targeting unsecured MS-SQL servers.
- MS-SQL servers are commonly attacked via unpatched vulnerabilities, brute forcing, and dictionary attacks against the admin account (sa).
- Attackers scan port 1433 to identify MS-SQL servers publicly reachable, and Lemon Duck is noted for lateral movement via this port.
- If login succeeds, attackers use commands like xp_cmdshell to run tools; Cobalt Strike is downloaded through cmd.exe and powershell.exe via the MS-SQL process.
- Cobalt Strike is loaded through MSBuild.exe with techniques to bypass detection, including using a loader into wwanmm.dll to run a beacon in memory.
- AhnLab ASD logs show multiple Cobalt Strike indicators over the past month, suggesting the same attacker activity across several download and C2 domains.
- AhnLab emphasizes memory- and behavior-based detection to counter the beacon and recommends their TIP platform for IOC details.
MITRE Techniques
- [T1046] Network Service Scanning β The attacker or malware usually scans port 1433 to check for MS-SQL servers open to the public. βThe attacker or the malware usually scans port 1433 to check for MS-SQL servers open to the public.β
- [T1110] Brute Force β Attacks include brute forcing or dictionary attacks against the admin account (βsaβ) to attempt logging in. βbrute forcing, and dictionary attack against poorly managed servers.β
- [T1021] Lateral Movement β Lemon Duck scans port 1433 and spreads for the purpose of lateral movement in the internal network. βLemon Duck malware that scans port 1433 and spreads for the purpose of lateral movement in the internal network.β
- [T1059] Command and Scripting Interpreter β Cobalt Strike was downloaded through cmd.exe and powershell.exe via the MS-SQL process. βdownloaded through cmd.exe and powershell.exe via the MS-SQL process as shown below.β
- [T1055] Process Injection β The injector decodes and injects Cobalt Strike into MSBuild.exe, loading wwanmm.dll and writing/executing a beacon in DLL memory. βinjector that decodes the encoded Cobalt Strike inside, and executes and injects the normal program MSBuild.exe.β
- [T1027] Obfuscated/Compressed Files and Information β The loader decodes the encoded Cobalt Strike inside to execute it. βinjector that decodes the encoded Cobalt Strike inside, and executes and injects the normal program MSBuild.exe.β
- [T1562] Impair Defenses β The Cobalt Strike settings data show a method to bypass detection of security products. βbypass detection of security products, where it loads the normal dll wwanmm.dll, then writes and executes a beacon in the memory area of the dll.β
- [T1071] Application Layer Protocol β The C2 infrastructure uses HTTP-based URLs for command and control and beacon communications. βC&C
β hxxp://92.255.85[.]83:7905/push β¦ hxxp://92.255.85[.]94:83/ga.jsβ
Indicators of Compromise
- [MD5] Cobalt Strike (Stageless) β ae7026b787b21d06cc1660e4c1e9e423, 571b8c951febb5c24b09e1bc944cdf5f, and other 5 hashes
- [MD5] CobaltStrike (Stager) β 2c373c58caaaca0708fdb6e2b477feb2, bb7adc89759c478fb88a3833f52f07cf
- [File name] Detections β Trojan/Win.FDFM.C4959286, Trojan/Win.Injector.C4952559, Infostealer/Win.AgentTesla.R470158, and other 4 detections
- [File name] Detections β Trojan/Win.Agent.C4897376, Trojan/Win32.CobaltStrike.R329694, and 1 more
- [Behavior] MD5-based detection β Malware/MDP.Download.M1197
- [URL] C2 / download URLs β hxxp://92.255.85[.]83:7905/push, hxxp://92.255.85[.]83:9315/en_US/all.js, and 7 more URLs
- [URL] Beacon download URL β hxxp://92.255.85[.]93:18092/jRQO, hxxp://92.255.85[.]93:12031/CbCt
- [URL] Download URL β hxxp://45.64.112[.]51/dol.exe, hxxp://45.64.112[.]51/mr_robot.exe, and 7 more URLs
- [IP] C2 / download endpoints β 92.255.85.83, 92.255.85.86, and other similar addresses
Read more: https://asec.ahnlab.com/en/31811/