Cobalt Strike Malware – Active IOCs
September 2, 2024Multiple Cisco Application Policy Infrastructure Vulnerabilities
September 2, 2024Cobalt Strike Malware – Active IOCs
September 2, 2024Multiple Cisco Application Policy Infrastructure Vulnerabilities
September 2, 2024Severity
High
Analysis Summary
Researchers have discovered a new campaign that may utilize malware to trick users in the Middle East into believing they are using the Palo Alto Networks GlobalProtect virtual private network (VPN) product.
The malware poses a serious risk to the targeted organizations since it can download and exfiltrate files, encrypt communications, and run remote PowerShell commands. According to the report, it can even sneak around sandbox solutions. The malware sample is highly complex and operates in two stages. Firstly, it establishes connections to what appears to be a company VPN portal for command-and-control (C2) purposes. This allows the threat actors to operate without raising any red flags.
The initial step consists of a setup.exe file that launches GlobalProtect.exe, the main backdoor component. Once installed, this program starts a beaconing procedure that notifies the operators of the progress. In addition, two more configuration files (RTime.conf and ApProcessId.conf) that are used to exfiltrate system data, such as the victim's IP address, operating system details, username, machine name, and sleep time sequence, are dropped by the first-stage executable to a C2 server.
The malware uses an evasion strategy to check the location of the process file and the specified file before running the main code block, hence avoiding behavior analysis and sandbox solutions. The backdoor acts as a gateway for PowerShell commands, file uploads, and downloads of subsequent payloads. The Interactsh open-source project is used to facilitate beaconing to the C2 server.
The malware changes course and points to a recently registered URL called "sharjahconnect," which is probably a reference to the U.A.E. emirate of Sharjah. It is made to look like a genuine VPN portal for a U.A.E.-based business. This strategy is aimed at allowing the malware's malicious actions to blend in with expected regional network traffic and boost its evasion characteristics.
Impact
- Data Exfiltration
- Command Execution
- Security Bypass
Indicators of Compromise
Domain Name
- portal.sharjahconnect.online
IP
- 94.131.108.78
MD5
- 9b785d95bf9b3bc03a49c01a93072dc3
- 68c16b6f178c88c12c9555169887c321
SHA-256
- e3880c7db78e09748fe9caf02f330b1c61cd3aaaa31ffe93fb5ba1fb1035f761
- a23adcce96b743d1ecc5a0410fdb6326ae7fff2e78917f51cc70497320dbe750
SHA-1
- 79b38c4be5ac888e38ec5f21ac3710f3d0936a72
- 72cdd3856a3ffd530db50e0f48e71f089858e44f
URL
- http://94.131.108.78:7118/B/hi/
- http://94.131.108.78:7118/B/desktop/
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Maintain daily backups of all computer networks and servers.
- Keep operating systems and software up to date as threat actors often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
- Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
- Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread malware.