Severity
Medium
Analysis Summary
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.
Impact
- Data Exfiltration
- Information Theft
Indicators of Compromise
Filename
- CLMCP 9215 Nov 15 (383)[.]xlsb
IP
- 190[.]14[.]37[.]84
- 80[.]71[.]158[.]152
- 190[.]14[.]37[.]84
- 71[.]13[.]93[.]154
- 103[.]143[.]8[.]71
- 50[.]194[.]160[.]233
- 37[.]252[.]0[.]102
- 23[.]111[.]114[.]52
- 5[.]255[.]98[.]144
MD5
- 3489702c1298d45a5964aadd4a5753a6
- a4d17faab32f86aa4546964dc1b317d8
- 01e81516cbf689ff0e9444aee11e53d1
- 13fc44f206bcd75d2880d39a22d777a3
SHA-256
- 18bd1ae701ff57a6d1119f18c53350688f41cbac0ea1ad0cb73234f6ab733404
- aca6a42ef77fb9e13c8a77caad356b10b7f8114fa89de06acda9ab4e379a69f9
- b9b399dbb5d901c16d97b7c30cc182736cd83a7c53313194a1798d61f9c7501e
- 3cde8a896848e9c28ccfcc2db7812602143de7be90aa44fcfe83c85ac7e53f9b
SHA-1
- ed0afe8cbdfb77332f9ce8c28b1be592eb89d730
- 6ef08c458a784bb2d5f41485285628ec37bf8b5b
- 04b69b23d16f80f9d1852d515d26071b7dd1648c
- 5cd8cc40a71dc9a2b5ea8b023cb6f8bdb1c16748
URL
- http[:]//190[.]14[.]37[.]84/5555555[.]dat
- https[:]//softwareupdatechecking[.]at/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.