Rewterz Threat Alert – CobaltStrike Beacon Masquerades as VPN Client Installers

Severity

High

Analysis Summary

Recently, NSIS installers for fake VPN clients have been detected distributing Cobalt Strike. All of these installers drop “InsHelper.exe” which loads “c2hex”. Below is a sample VPN installer that deploys CobaltStrike using Side-Loading Technique via TaskServer.exe process. After download and execution, communication with C2 begins. 

Impact

• System Compromise
• Network-wide attack
• Unauthorized access to information

Indicators of Compromise

MD5

• 7f5539fb392b465d0c40eea99f8b1fa3
• 7dc65336c95d13bb58cb9472eaa6872f
• e452dd334c0c1dbf4b5949095ebd0ef2
• 44071052bde88a61108a7e5e2dbdd210
• e078ae440ed5b50171f47afd3eb336c8

SHA-256

• 6be0e17ae33448f07aec1968f74962d021229792b60214780d4e56cc4c194e1d
• 0790e138f23c1335d30fae4b1cd42937f6c43b1300b40bc02c15f48f48aac6d7
• be96d1dd3a515e229b25183556c2dd3209f23bd2239dbf0b4791be31864311de
• 37abf46946d478f17de5b0f15c2d3a1ae79b7d41c48384cc0d3afb26e9c8ce57
• 9aa374e8bc755d6b49175a8644aa7c7e715062261b41ee98ae939b4dfe3975ea

SHA1

• e3cda43df2370dd5e07d8f8cac91921287a37de1
• 8347590b404cd8d1d084fef29dec1ac7af419b80
• f441d34a5eb36cc4a101d2abc8da5c03be72fed9
• 9171e0460e6dff6d2b98470b49282e09f9295e61
• 23314fa5cb70a12df64f430394e3a779da561b22

Source IP

• 116[.]85[.]25[.]159
• 39[.]101[.]207[.]158

URL

• https[:]//116[.]85[.]25[.]159/
• http[:]//116[.]85[.]25[.]159
• https[:]//39[.]101[.]207[.]158
• http[:]//39[.]101[.]207[.]158[:]39999/
• http[:]//39[.]101[.]207[.]158/
• http[:]//39[.]101[.]207[.]158

Remediation

• Block the threat indicators at their respective controls.
• Only use authentic VPNs downloaded from official sources.
• Do not download random untrusted software from random sources on the internet.