Severity

Medium

Analysis Summary

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

Impact

• Data Exfiltration
• Information Theft

Indicators of Compromise

IP

• 89[.]163[.]253[.]100
• 5[.]104[.]110[.]248
• 91[.]193[.]16[.]144
• 162[.]33[.]179[.]128
• 192[.]46[.]217[.]247
• 206[.]221[.]176[.]225
• 104[.]194[.]11[.]51
• 151[.]236[.]23[.]138

URL

• http[:]//kertisbank[.]com/
• http[:]//jobefur[.]com/
• http[:]//bobyfrank[.]com/
• http[:]//gostnamara[.]com/
• http[:]//svedroom[.]com/
• http[:]//modasum[.]com/
• http[:]//sujaxa[.]com/
• http[:]//grupostefano[.]com/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.