Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs

Severity

Medium

Analysis Summary

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

Impact

• Data Exfiltration
• Information Theft

Indicators of Compromise

Filename

• CLMCP 9215 Nov 15 (383)[.]xlsb

IP

• 190[.]14[.]37[.]84
• 80[.]71[.]158[.]152
• 190[.]14[.]37[.]84
• 71[.]13[.]93[.]154
• 103[.]143[.]8[.]71
• 50[.]194[.]160[.]233
• 37[.]252[.]0[.]102
• 23[.]111[.]114[.]52
• 5[.]255[.]98[.]144

MD5

• 3489702c1298d45a5964aadd4a5753a6
• a4d17faab32f86aa4546964dc1b317d8
• 01e81516cbf689ff0e9444aee11e53d1
• 13fc44f206bcd75d2880d39a22d777a3

SHA-256

• 18bd1ae701ff57a6d1119f18c53350688f41cbac0ea1ad0cb73234f6ab733404
• aca6a42ef77fb9e13c8a77caad356b10b7f8114fa89de06acda9ab4e379a69f9
• b9b399dbb5d901c16d97b7c30cc182736cd83a7c53313194a1798d61f9c7501e
• 3cde8a896848e9c28ccfcc2db7812602143de7be90aa44fcfe83c85ac7e53f9b

SHA-1

• ed0afe8cbdfb77332f9ce8c28b1be592eb89d730
• 6ef08c458a784bb2d5f41485285628ec37bf8b5b
• 04b69b23d16f80f9d1852d515d26071b7dd1648c
• 5cd8cc40a71dc9a2b5ea8b023cb6f8bdb1c16748

URL

• http[:]//190[.]14[.]37[.]84/5555555[.]dat
• https[:]//softwareupdatechecking[.]at/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.