Summary:
Recent investigations have revealed a cluster of suspicious infrastructure utilizing Cobalt Strike version 4.10, which has been exploited by malicious actors despite its intended use for legitimate security testing. The analysis highlights the use of unique watermarks and domains that impersonate well-known brands, indicating a targeted approach to deceive users. The findings emphasize the importance of vigilance in monitoring such activities.
#CobaltStrike #ThreatHunting #InfrastructureAnalysis
Recent investigations have revealed a cluster of suspicious infrastructure utilizing Cobalt Strike version 4.10, which has been exploited by malicious actors despite its intended use for legitimate security testing. The analysis highlights the use of unique watermarks and domains that impersonate well-known brands, indicating a targeted approach to deceive users. The findings emphasize the importance of vigilance in monitoring such activities.
#CobaltStrike #ThreatHunting #InfrastructureAnalysis
Keypoints:
- Discovery of a cluster of suspicious infrastructure using Cobalt Strike 4.10.
- Malicious actors exploit post-exploitation features of Cobalt Strike.
- Unique watermark 688983459 shared among the identified IPs.
- Domains associated with the servers impersonate well-known brands.
- Infrastructure primarily hosted in the United States, with one server on Microsoftβs services.
- New features in Cobalt Strike enhance evasion and post-exploitation capabilities.
- Absence of recent TLS certificates suggests early-stage development or evasion tactics.
- Analysis of payloads extracted from team servers for detection signature development.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain access to target systems.
- Credential Dumping (T1003): Extracts account login and password information from operating systems and software.
- Data Encrypted for Impact (T1486): Encrypts data to disrupt access to information and extort victims.
- Application Layer Protocol (T1071.001): Uses application layer protocols for command and control communication.
IoC:
- [domain] downloads.yourcoupons[.]net
- [domain] api.toptechmanagementgroup[.]com
- [domain] downloads.toptechmanagementgroup[.]com
- [domain] downloads.abyanfinancial[.]com
- [domain] downloads.uscga[.]co
- [domain] downloads.my-icecream[.]com
- [ip address] 44.203.181.185
- [ip address] 34.238.135.169
- [ip address] 52.91.17.36
- [ip address] 52.205.213.5
- [ip address] 74.235.246.236
- [ip address] 184.72.118.160
- [ip address] 184.73.81.49
- [file hash] ae352f86b470dfa999f3d50394876209d19bc06af2e246758f150f55eaa2a7872
- [file hash] d884ccc9aa3b1d1a018d7cb4a1d80da7142e934178ef0fc6faff7b1f1f7fa6c1
- [file hash] 889e4f388ac6fd9d5f1025ed32276eb0fef2717c8d387fb82d5a8438bbe6025
- [file hash] a2ed422d92f5963468c9e3c615754dc7e31acd51b7372386d7694747bc2d9897
- [file hash] e2a82f971d011675ad387beb2ef943824b2e62e3aab5f9ef79516c11693a6636
Mitigation:
Implement monitoring for unusual network traffic patterns, especially involving Cobalt Strike watermarks.
Utilize threat intelligence to identify and block known malicious domains and IP addresses.
Regularly update and patch systems to mitigate vulnerabilities that could be exploited by tools like Cobalt Strike.
Educate users on identifying phishing attempts and suspicious communications.
Develop and deploy detection signatures based on analyzed payloads from compromised servers.
Full Research: https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity