Severity
High
Analysis Summary
Recently, NSIS installers for fake VPN clients have been detected distributing Cobalt Strike. All of these installers drop “InsHelper.exe” which loads “c2hex”. Below is a sample VPN installer that deploys CobaltStrike using Side-Loading Technique via TaskServer.exe process. After download and execution, communication with C2 begins.
Impact
System Compromise Network-wide attack Unauthorized access to information
Indicators of Compromise
MD5
7f5539fb392b465d0c40eea99f8b1fa3 7dc65336c95d13bb58cb9472eaa6872f e452dd334c0c1dbf4b5949095ebd0ef2 44071052bde88a61108a7e5e2dbdd210 e078ae440ed5b50171f47afd3eb336c8
SHA-256
6be0e17ae33448f07aec1968f74962d021229792b60214780d4e56cc4c194e1d 0790e138f23c1335d30fae4b1cd42937f6c43b1300b40bc02c15f48f48aac6d7 be96d1dd3a515e229b25183556c2dd3209f23bd2239dbf0b4791be31864311de 37abf46946d478f17de5b0f15c2d3a1ae79b7d41c48384cc0d3afb26e9c8ce57 9aa374e8bc755d6b49175a8644aa7c7e715062261b41ee98ae939b4dfe3975ea
SHA1
e3cda43df2370dd5e07d8f8cac91921287a37de1 8347590b404cd8d1d084fef29dec1ac7af419b80 f441d34a5eb36cc4a101d2abc8da5c03be72fed9 9171e0460e6dff6d2b98470b49282e09f9295e61 23314fa5cb70a12df64f430394e3a779da561b22
Source IP
116[.]85[.]25[.]159 39[.]101[.]207[.]158
URL
https[:]//116[.]85[.]25[.]159/ http[:]//116[.]85[.]25[.]159 https[:]//39[.]101[.]207[.]158 http[:]//39[.]101[.]207[.]158[:]39999/ http[:]//39[.]101[.]207[.]158/ http[:]//39[.]101[.]207[.]158
Remediation
Block the threat indicators at their respective controls. Only use authentic VPNs downloaded from official sources. Do not download random untrusted software from random sources on the internet.