• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – RTF Royal Road Drops a New MFC C++ Backdoor and Links to Goblin Panda
August 25, 2020
Rewterz Threat Alert – TA505 Active Again – IoCs
August 25, 2020

Rewterz Threat Alert – CobaltStrike Beacon Masquerades as VPN Client Installers

August 25, 2020

Severity

High

Analysis Summary

Recently, NSIS installers for fake VPN clients have been detected distributing Cobalt Strike. All of these installers drop “InsHelper.exe” which loads “c2hex”. Below is a sample VPN installer that deploys CobaltStrike using Side-Loading Technique via TaskServer.exe process. After download and execution, communication with C2 begins. 

Image
Image

Impact

  • System Compromise
  • Network-wide attack
  • Unauthorized access to information

Indicators of Compromise

MD5

  • 7f5539fb392b465d0c40eea99f8b1fa3
  • 7dc65336c95d13bb58cb9472eaa6872f
  • e452dd334c0c1dbf4b5949095ebd0ef2
  • 44071052bde88a61108a7e5e2dbdd210
  • e078ae440ed5b50171f47afd3eb336c8

SHA-256

  • 6be0e17ae33448f07aec1968f74962d021229792b60214780d4e56cc4c194e1d
  • 0790e138f23c1335d30fae4b1cd42937f6c43b1300b40bc02c15f48f48aac6d7
  • be96d1dd3a515e229b25183556c2dd3209f23bd2239dbf0b4791be31864311de
  • 37abf46946d478f17de5b0f15c2d3a1ae79b7d41c48384cc0d3afb26e9c8ce57
  • 9aa374e8bc755d6b49175a8644aa7c7e715062261b41ee98ae939b4dfe3975ea

SHA1

  • e3cda43df2370dd5e07d8f8cac91921287a37de1
  • 8347590b404cd8d1d084fef29dec1ac7af419b80
  • f441d34a5eb36cc4a101d2abc8da5c03be72fed9
  • 9171e0460e6dff6d2b98470b49282e09f9295e61
  • 23314fa5cb70a12df64f430394e3a779da561b22

Source IP

  • 116[.]85[.]25[.]159
  • 39[.]101[.]207[.]158

URL

  • https[:]//116[.]85[.]25[.]159/
  • http[:]//116[.]85[.]25[.]159
  • https[:]//39[.]101[.]207[.]158
  • http[:]//39[.]101[.]207[.]158[:]39999/
  • http[:]//39[.]101[.]207[.]158/
  • http[:]//39[.]101[.]207[.]158

Remediation

  • Block the threat indicators at their respective controls.
  • Only use authentic VPNs downloaded from official sources.
  • Do not download random untrusted software from random sources on the internet.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.