Rewterz Threat Alert – Cobalt Strike Malware – IOCs

Severity

High

Analysis Summary

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit

Impact

• Data Exfiltration
• Information Theft

Indicators of Compromise

Filename

• Invoice756114[.]docm

IP

• 193[.]56[.]146[.]99

MD5

• 4d60e685e87d3e7581d1eed5a2d4b774

SHA-256

• 25ea1ae3536c8c7310cb134737cae1f765dc32bfc2478888509d73527a0fbc44

SHA-1

• 4accbda17d5b3d5d990b4c1a4ee1e4cb0ec7c725

URL

http[:]//193[.]56[.]146[.]99[:]3389/ga[.]js

Remediation

• Block the threat indicators at their respective controls.
• Do not visit links given in untrusted emails, even if they redirect to Google Drive.
• Search for IOCs in your environment.