Red Team bad opsec part 2
Let's start with this legit-looking website
facilities-awareness.]com
13.249.22.]98
When you pay attention you can spot one interesting detail here.
The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness.]com
According to Cisco Talos website is categorized as Real Estate.
Now let's find out more details about the domain
You can see three IP addresses but let focus only on 64.69.57.]212 and 13.349.135.xx range
Now lets investigate this one
64.69.57.]212
Looks like we have found something interesting here
Cobalt Strike shellcode connecting to 64.69.57.]212
Let's grab the shellcode
app.any.run/tasks/921100ec…
Triage analysis
tria.ge/210916-qvphpsd…
Right, so we know that azuerlink.]net is a Cobalt Strike C2 (other domains are Cobalt Strike C2's as well)
but what about facilities-awarness.]com?
and this is the beacon
Short summary
and this is the real Model Remodel website
https://modelremodel.]com
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.