Discover and read the best of Twitter Threads about #CobaltStrike
Most recents (16)
1/ DEV-0569, current distribution via #GoogleAds.
1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥
(No more BatLoader in the infection chain)
1.- #Gozi aka #Ursnif (bot) ↓
2.- #RedLine (stealer) ↓
And if the conditions are right, possibly:
3.- #CobaltStrike (C2) ↓
4.- #Royal Ransomware 💥
(No more BatLoader in the infection chain)
2/ For deployment, they use Add-MpPreference to configure exclusions in Windows Defender (extensions, paths and processes), #NSudo to launch binaries with full privileges and #GnuPG to encrypt the payloads.
Initial MSI file has 0 hits in VT.
Initial MSI file has 0 hits in VT.
3/ All payloads are hosted on @Bitbucket, in a repository that was created in August 2022.
In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.
ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
In just 3 days, #Gozi and #RedLine have been downloaded 2477 and 2503 times respectively.
ZLocal.gpg has been downloaded more than 48193 times since December 24, 2022 (potential victims).
With the release of my open-source #CobaltStrike stager decoder (which you can read about here: stairwell.com/news/stairwell…) I thought I'd make a thread showcasing some of the other great open-source tooling out there to help with Cobalt Strike #ThreatHunting and #ThreatIntel 🧵
github.com/RomanEmelyanov…: These are the OG scripts designed for interfacing with Team Servers. Famous for its get_beacon script for milking staged payloads from Team Servers and decrypting them, this GH account also has a script for logging into teamservers and wordlists💀
github.com/JPCERTCC/aa-to… The first Cobalt Strike Beacon configuration extractor that I was aware of, @jpcert_en created a volatility plugin for finding and parsing Beacon configs from memory
🧵Let's talk about #Telegram - here are ten useful cybersecurity groups and channels we watch:
A thread:
A thread:
1. Cyber Security News (30k+ members)
Cyber Security News is a feed channel for links to breaking news stories across the internet, everything from #TechCrunch to #Portswigger. It’s a one-stop shop for cyber-related news with your morning coffee.
telegram.me/cyber_security…
Cyber Security News is a feed channel for links to breaking news stories across the internet, everything from #TechCrunch to #Portswigger. It’s a one-stop shop for cyber-related news with your morning coffee.
telegram.me/cyber_security…
2. Cyber Security Experts (23k+ members)
A great channel for exchanging #information about #cyber, #IT, and #security. Mainly used to get answers to questions and help other security experts to enhance their security maturity.
t.me/cybersecuritye…
A great channel for exchanging #information about #cyber, #IT, and #security. Mainly used to get answers to questions and help other security experts to enhance their security maturity.
t.me/cybersecuritye…
Follina Exploit Leads to Domain Compromise
➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop
thedfirreport.com/2022/10/31/fol…
➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop
thedfirreport.com/2022/10/31/fol…
Analysis and reporting completed by @pigerlin, @yatinwad and @_pete_0.
Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.
Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.
IOC's for intrusion, dated June 2022
Maldoc:
doc532.docx
03ef0e06d678a07f0413d95f0deb8968190e4f6b
Qbot Dll:
liidfxngjotktx.dll
dab316b8973ecc9a1893061b649443f5358b0e64
Netsupport Client
client32.exe
3112a39aad950045d6422fb2abe98bed05931e6c
Maldoc:
doc532.docx
03ef0e06d678a07f0413d95f0deb8968190e4f6b
Qbot Dll:
liidfxngjotktx.dll
dab316b8973ecc9a1893061b649443f5358b0e64
Netsupport Client
client32.exe
3112a39aad950045d6422fb2abe98bed05931e6c
1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:
1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥
1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥
2/ For initial deployment they use NirCmd, NSudo and GnuPG (to encrypt payloads) among other utilities.
* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'
* Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
* Remove-Encryption -FolderPath $env:APPDATA -Password '105b'
3/ The websites are boosted through SEO poisoning and impersonate brands such as @Zoom, @TeamViewer, @anydesk, @LogMeIn, @CCleaner, #FileZilla and #Winrar among others.
/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com
/teamviewclouds.com
/zoomcloudcomputing.tech
/logmein-cloud.com
/teamcloudcomputing.com
/anydeskos.com
Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods.
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode.
A (big) thread ⬇️⬇️
[1/23]
[2/23]
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
To follow along, download the sample from the link below. Then transfer the .zip into a safe VM environment.
My VM is a mostly default Flare VM with SpeakEasy installed on top.
bazaar.abuse.ch/sample/08ec3f1…
[3/23] Once unzipped (pw:infected), load the file into pe-studio for quick analysis. There isn't a lot interesting here, but take note that the file a 64-bit .dll with 4 exported functions.
About a week ago, @TalosSecurity team shared some insights related to a recent cyber attack on @Cisco. According to Indicators of compromise, mentioned in this article (bit.ly/3K76lFJ), we have known this group of attackers since the beginning of 2022.
Group-IB's researchers has discovered their TTPs in a series of attacks using #CobaltStrike, #Sliver and #Covenant tools. Our internal name of this group is #TridentCrow.
One of the domains that was published by @Cisco (ciscovpn2[.]com) has a self-signed SSL certificate with unique values. According to Group-IB Threat Intelligence database, out of more than 2 billion certificates, only 39 have similar values and mimic well-known IT companies.
BumbleBee Roasts Its Way to Domain Admin
➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk
thedfirreport.com/2022/08/08/bum…
➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk
thedfirreport.com/2022/08/08/bum…
Analysis and reporting completed by @Tornado and @MetallicHack
Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
IOC's
#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443
#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443
dofixifa[.]co
108.62.12[.]174:443
CS Payload Hosting
hxxp://104.243.33.50:80/a
#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443
#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443
dofixifa[.]co
108.62.12[.]174:443
CS Payload Hosting
hxxp://104.243.33.50:80/a
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Righto. Lets talk about this data and how to use it. To start, I'm uploading a zip file of all samples as well to allow downloading in bulk. I'll also share out some more parts of this as we go. So, off we go...
🧵(1/14)
🧵(1/14)
For background, #CobaltStrike is an "adversary simulation tool" (pentesting tools vs malware sometimes are only philosophically different #FightMe). It is widely used for legitimate security testing, pre-ransomware operations and other malicious threat actors.
🧵(2/14)
🧵(2/14)
The files provide are called Beacon. It's the malware deployed and controlled by CobaltStrike. While the two names are commonly misused interchangeably (even by myself). @Mandiant did a solid write-up on names. mandiant.com/resources/defi…
🧵(3/14)
🧵(3/14)
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.
If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks
This content looks VERY familiar...
1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions
Thanks @vxunderground!!
1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions
Thanks @vxunderground!!
1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
1. Dump LSASS via #CobaltStrike, RDP, Mimikatz
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
Here's some newer #CobaltStrike servers we're tracking:
scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443
servers[.]indiabullamc[.]com
139.180.214[.]187:80
rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80
Full list available @ thedfirreport.com/services
#AllIntel
scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443
servers[.]indiabullamc[.]com
139.180.214[.]187:80
rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80
Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:
azurecloud[.]dynssl[.]com
136.244.113[.]93:443
securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443
www[.]msclientweb[.]com
147.182.175[.]159:443
Full list available @ thedfirreport.com/services
#AllIntel
azurecloud[.]dynssl[.]com
136.244.113[.]93:443
securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443
www[.]msclientweb[.]com
147.182.175[.]159:443
Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:
macrodown[.]azureedge[.]net
85.93.88[.]165:80
taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80
upload[.]dwi22g[.]com
185.244.150[.]52:443
Full list available @ thedfirreport.com/services
#AllIntel
macrodown[.]azureedge[.]net
85.93.88[.]165:80
taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80
upload[.]dwi22g[.]com
185.244.150[.]52:443
Full list available @ thedfirreport.com/services
#AllIntel
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/…
Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
Facebook’s @ngleicher was right about linking #APT32 to CyberOne and here is why:
As per Group-IB #ThreatIntelligence & #Attribution the domain cbo[.]group had an IP 45[.]61[.]136[.]214 in the A-record. On this IP address, we detected a unique SSH 4b390f0b7125c0d01fe938eb57d24051
As per Group-IB #ThreatIntelligence & #Attribution the domain cbo[.]group had an IP 45[.]61[.]136[.]214 in the A-record. On this IP address, we detected a unique SSH 4b390f0b7125c0d01fe938eb57d24051
According to Group-IB Graph Network Analysis, this fingerprint was also seen on 30 other hosts including on 45[.]61[.]136[.]166 and 45[.]61[.]136[.]65. Both were used to deploy a uniquely configured #CobaltStrike framework, used exclusively by #APT32 aka #OceanLotus
All the listed IPs belong to the autonomous network - AS53667 within the range of 45.61[.]128[.]0 to 45[.]61[.]191[.]255. We've also seen #APT32 hosting #CobaltStrike on the 45[.]61[.]139[.]211, which was indicated in the A-record of feeder[.]blogdns[.]com
