• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Dridex Banking Trojan – Active IOCs
November 17, 2021
Rewterz Threat Advisory – CVE-2021-40131 – Cisco Common Services Platform Collector Stored
November 18, 2021

Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs

November 18, 2021

Severity

Medium

Analysis Summary

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

Impact

  • Data Exfiltration
  • Information Theft

Indicators of Compromise

Filename

  • CLMCP 9215 Nov 15 (383)[.]xlsb

IP

  • 190[.]14[.]37[.]84
  • 80[.]71[.]158[.]152
  • 190[.]14[.]37[.]84
  • 71[.]13[.]93[.]154
  • 103[.]143[.]8[.]71
  • 50[.]194[.]160[.]233
  • 37[.]252[.]0[.]102
  • 23[.]111[.]114[.]52
  • 5[.]255[.]98[.]144

MD5

  • 3489702c1298d45a5964aadd4a5753a6
  • a4d17faab32f86aa4546964dc1b317d8
  • 01e81516cbf689ff0e9444aee11e53d1
  • 13fc44f206bcd75d2880d39a22d777a3

SHA-256

  • 18bd1ae701ff57a6d1119f18c53350688f41cbac0ea1ad0cb73234f6ab733404
  • aca6a42ef77fb9e13c8a77caad356b10b7f8114fa89de06acda9ab4e379a69f9
  • b9b399dbb5d901c16d97b7c30cc182736cd83a7c53313194a1798d61f9c7501e
  • 3cde8a896848e9c28ccfcc2db7812602143de7be90aa44fcfe83c85ac7e53f9b

SHA-1

  • ed0afe8cbdfb77332f9ce8c28b1be592eb89d730
  • 6ef08c458a784bb2d5f41485285628ec37bf8b5b
  • 04b69b23d16f80f9d1852d515d26071b7dd1648c
  • 5cd8cc40a71dc9a2b5ea8b023cb6f8bdb1c16748

URL

  • http[:]//190[.]14[.]37[.]84/5555555[.]dat
  • https[:]//softwareupdatechecking[.]at/

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.