Originally published at: CobaltStrike Threat Group Threat Intelligence Advisory - CloudSEK
|###### Advisory||Adversary Intelligence|
|###### Actors||CobaltStrike Group/Carbanak|
|###### Targeted System||Windows Infrastructure|
APTs carry out campaigns with a very high operational security. As a result, it is tedious to keep track of their activities. CloudSEK threat researchers have detected interesting patterns and changes in the way these actors are operating currently.
Prominent threat groups are forming alliances with other such actors to maximise the impact and profit. There are new attack vectors in the wild that are elusive in nature so as to not tip off any security solutions deployed in the target environment.
Based on the intelligence we were able to gather from various reliable sources, FIN7 attack infrastructure was used by a threat actor to gain initial access in an enterprise network that would later pave the way to a RYUK ransomware attack. The threat actor’s Tactics, Techniques, and Procedures (TTPs) and the use of CARBANAK RAT can be traced back to FIN7. This strengthens our assumption about the collaboration between FIN7 and WIZARD SPIDER/ FIN6 dubbed RYUK.
New Attack Vectors Exploited by CobaltStrike APTs
Template injection with delayed payload execution & malleable Cobalt C2
CloudSEK Threat Intelligence team has observed a new attack vector employed by the actor to evade security by launching spear phishing attacks against targets. It weaponizes a Word document that is capable of staging the download of the Cobalt beacon via template injection. The adversary employs .NET assemblies to provide auxiliary functions that help in accomplishing the actor’s objectives.
|Anadia Waleed resume.doc||259632b416b4b869fc6dc2d93d2b822dedf6526c0fa57723ad5c326a92d30621|
|Remote Template: indexa.dotm||7f1325c5a9266e649743ba714d02c819a8bfc7fd58d58e28a2b123ea260c0ce2|
|Remote Template Url||https://yenile[.]asia/YOOMANHOWYOUDARE/|
|Cf.ini shell-code after decryption|5143c5d8715cfc1e70e9db00184592c6cfbb4b9312ee02739d098cf6bc83eff9|
|CobaltStrike downloaded shellcode|8cfd023f1aa40774a9b6ef3dbdfb75dea10eb7f601c308f8837920417f1ed702|
Image encoded Cobalt payload delivery
CloudSEK Threat Intelligence team has observed unusual delivery of the beacon encoded in a PNG image, hosted on the image hosting platform Imgur. When the embedded macros are executed, it launches a Powershell script which further downloads a second Powershell script which is then hosted on Github. The Powershell script then downloads an image (PNG) from the image hosted on Imgur, which is in turn an encoded CobaltStrike payload. After downloading the image the Powershell script decodes the payload which inturn enables the CobaltStrike beacon to connect to the attackers’ infrastructure.
Miscellaneous Intelligence on CobaltStrike Actors
A new ransomware strain known as CRING has been identified using the “Cobalt beacon” in their campaigns to carry out post exploitation and lateral movement phases of the kill chain.
As the Cobalt beacon is capable of using various tactics such as process injection methods to evade security systems and remain in the target environment undetected, even legitimate processes running on the target device can get infected.
Exfiltration of data and C2 communication can be hidden in innocent looking network traffic by utilising malleable C2 capabilities.
An attacker can integrate other popular frameworks like Metasploit/ Empire and Mimikatz to carry out post exploitation phases including lateral movement and privilege escalation.
The threat actor can gain control over the target OS leading to disk access with read/write/execute permissions.
An attacker can make changes to system services and registries which are crucial elements in any Windows system, to enable persistence.
CobaltStrike can stage a VNC server to control the victim remotely.
Integration with PowerShell gives the attacker easy means for further reconnaissance and post exploitation tactics like DLL loading to use custom programs made by attackers to further the attack.
Two factor authentication can be bypassed by using attack forms like Browser Pivot, to hijack a compromised user’s authenticated session and mimic the target.
Advanced tunnelling capabilities built into Cobalt let attackers perform pivoting into other segments of the network via compromised footholds.
- Sandboxes should emulate named pipes to detect the presence of Cobalt shellcode as CobaltStrike hides shellcode over named pipes.
- Very strict network traffic examination to detect Cobalt C2 communication. The challenge is that it is a malleable C2 system that can use any profile of legitimate applications dictated by the operator to evade security and detection. The security team should specifically focus on HTTPS traffic as it is the default channel for C2 communication.
- Frequency analysis of network traffic helps in identifying bot traffic from human generated traffic as the latter one will not be uniform.
- If the HOST header of the traffic does not match with that of the destination address, it is likely to be a malicious one.
- Check the URI against various CobaltStrike URI Indicators of Compromise to confirm the presence of the Cobalt beacon.
- Enforce the rule of “least privilege” to domain accounts to restrict a user from having more privilege than they need.
- Effective utilisation of SIEM systems to monitor ingress and egress traffic.
- Proper isolation and segmentation of the network to protect critical assets.
- Security administrators need to implement effective vulnerability management programmes to roll out patches and keep the systems updated.
- Make users aware of phishing campaigns and client-side attacks to save themselves from phishing attacks.