Severity

High

Analysis Summary

Recently, NSIS installers for fake VPN clients have been detected distributing Cobalt Strike. All of these installers drop “InsHelper.exe” which loads “c2hex”. Below is a sample VPN installer that deploys CobaltStrike using Side-Loading Technique via TaskServer.exe process. After download and execution, communication with C2 begins. 

Impact

• System Compromise
• Network-wide attack
• Unauthorized access to information

Indicators of Compromise

MD5

• 7f5539fb392b465d0c40eea99f8b1fa3
• 7dc65336c95d13bb58cb9472eaa6872f
• e452dd334c0c1dbf4b5949095ebd0ef2
• 44071052bde88a61108a7e5e2dbdd210
• e078ae440ed5b50171f47afd3eb336c8

SHA-256

• 6be0e17ae33448f07aec1968f74962d021229792b60214780d4e56cc4c194e1d
• 0790e138f23c1335d30fae4b1cd42937f6c43b1300b40bc02c15f48f48aac6d7
• be96d1dd3a515e229b25183556c2dd3209f23bd2239dbf0b4791be31864311de
• 37abf46946d478f17de5b0f15c2d3a1ae79b7d41c48384cc0d3afb26e9c8ce57
• 9aa374e8bc755d6b49175a8644aa7c7e715062261b41ee98ae939b4dfe3975ea

SHA1

• e3cda43df2370dd5e07d8f8cac91921287a37de1
• 8347590b404cd8d1d084fef29dec1ac7af419b80
• f441d34a5eb36cc4a101d2abc8da5c03be72fed9
• 9171e0460e6dff6d2b98470b49282e09f9295e61
• 23314fa5cb70a12df64f430394e3a779da561b22

Source IP

• 116[.]85[.]25[.]159
• 39[.]101[.]207[.]158

URL

• https[:]//116[.]85[.]25[.]159/
• http[:]//116[.]85[.]25[.]159
• https[:]//39[.]101[.]207[.]158
• http[:]//39[.]101[.]207[.]158[:]39999/
• http[:]//39[.]101[.]207[.]158/
• http[:]//39[.]101[.]207[.]158

Remediation

• Block the threat indicators at their respective controls.
• Only use authentic VPNs downloaded from official sources.
• Do not download random untrusted software from random sources on the internet.