Posted on November 20, 2020 by John Limb
In the past few weeks, we have seen a significant increase in malicious attacks by bad actors using Cobalt Strike. Cobalt Strike is a legitimate tool used to give penetration testers access to many different attack capabilities. The issue lies when this toolkit gets into the wrong hands. Predominantly we have been seeing Cobalt Strike deploy an agent named “Beacon” for post-exploitation. Deploying this successfully can lead to a Ryuk Ransomware attack.
This week, BraintraceLABS is reporting Cobalt Strike as the most seen malware. Cobalt Strike enters the network in various ways, including via malware like BazarLoader. Malware can be installed with different tricks. The most common way is when the victim is tricked into clicking on a phishing campaign and downloads a file, which can be Word or Excel file. Then the user is tricked into enabling a macro. Once the macro is enabled, the malware will get into the network.
According to Microsoft, Cobalt Strike is being deployed through online ads claiming to be a Microsoft Teams update. The bad actor tricks the victim into clicking on a fake online ad. These advertisements will send the victim to an online domain under the control of the bad actor. When the victim clicks on the link, a download will begin. Instead of receiving the update, the user will download the payload, which can contain Cobalt Strike.
Dragonfly Encrypted Payload Analytics (EPA) prediction model identifies Cobalt Strike Beacon communications.
Braintrace’s Dragonfly is reporting the below C2 indicators of compromise for Cobalt Strike.
|IP ADDRESS||WEB HOSTNAME||COUNTRY||AS LABEL||AS NUMBER|
|184.108.40.206||31[.]44[.]184[.]131||Russia||Petersburg Internet Network ltd.||44,050|
|220.127.116.11||livenx[.]com||United States||Leaseweb USA, Inc.||396,362|
|18.104.22.168||stylesam[.]com||United States||Leaseweb USA, Inc.||30,633|
|22.214.171.124||epicnut[.]com||United States||Leaseweb USA, Inc.||7,203|
|126.96.36.199||sslcar[.]com||United States||Leaseweb USA, Inc.||19,148|
|188.8.131.52||beltpost[.]com||United States||TeraSwitch Networks Inc.||20,326|
|184.108.40.206||idrivehelper[.]com||Switzerland||Private Layer INC||51,852|
REACH OUT TO US
If you have any questions or concerns about Trickbot and Ryuk. Please feel free to contact us at firstname.lastname@example.org.