Severity
High
Analysis Summary
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit
Impact
- Data Exfiltration
- Information Theft
Indicators of Compromise
Domain Name
- dirupun[.]com
- croperdate[.]com
- bmwfor[.]com
- acurashu[.]com
- karavan[.]azureedge[.]net
- tcmb[.]azureedge[.]net
- merssed[.]com
- menoiras[.]space
- mazdafo[.]com
- marshbol[.]com
- losmapes[.]com
- imagalytics[.]com
- identalytics[.]com
- hondame[.]com
- freshjuk[.]com
- fivezin[.]com
MD5
- 08def560c0be9666636a8dacf5e60ae6
SHA-256
- a67b47abcaeac789e1716ddd92b3c4bdf74abd04c5583958a27b16dbe26a35e7
SHA-1
- cab565fc2c7f7cc535e0d5d0a7d49b4a615162d2
URL
http[:]//menoiras[.]space/222g100/index[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not visit links given in untrusted emails, even if they redirect to Google Drive.
- Search for IOCs in your environment.