For hobbyist Cobalt Strike Beacon collectors, note that the recently announced 4.11 update introduces a number of changes to frustrate Beacon configuration extraction, namely through the new `transform-obfuscate` field.

When set, this field can apply multiple layers of encoding, encryption and compression (with some recent Beacons observed with a 32 byte XOR key, configurable upto 2048 bytes!).

While still reasonably trivial to decode manually, standard automated workflows (say, through the SentinelOne parser) will now fail, not least because of changes to the well-known field markers.

Beacons with these characteristics have thus far been observed with watermarks indicative of licensed instances, though I imagine it is only a matter of time before the 4.11 capabilities become accessible to all manner of miscreants.

A sample configuration, via a staged Beacon on 104.42.26[.]200 is attached, including the three distinct XOR keys used to decode it.

https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

Europol shuts down almost 600 IP addresses in Cobalt Strike cybercrime crackdown - Nearly 600 IP addresses have been dismantled by Europol as part of a concerted eff... - https://readwrite.com/europol-shuts-600-ip-addresses-cobalt-strike-cybercrime-crackdown/ #cobaltstrike #technology #security #europol

@europol strikes back at Cobalt Strike - another brilliantly coordinated effort with hat tips to @abuse_ch and Spamhaus Technology Ltd for their involvement and support too

This international operation has taken action against criminal abuse with Operation Morpheus.

Abuse reports are being sent from us to network owners hosting active Cobalt Strike servers. Network operators, if you receive an abuse report, we urge you to take swift action

Read more here:
https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike

Europol coordinates global action against criminal abuse of Cobalt Strike We are very proud that together with our partner @spamhaus we are part of this international operation

Indicators on rogue Cobalt Strike botnet C2 servers related to the operation are being made available on ThreatFox :

https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/

In addition, The Spamhaus Project is sending out abuse reports to network owners hosting such rogue (active) Cobalt Strike servers . If you are a network operator receiving such an abuse report, you should take action on it swiftly

Further reading:
https://www.europol.europa.eu/media-press/newsroom/news/europol-coordinates-global-action-against-criminal-abuse-of-cobalt-strike

Post I wrote for my employer at https://www.linkedin.com/posts/unit42_ssload-cobaltstrike-timelythreatintel-activity-7187091840968351744-xqe- and https://twitter.com/Unit42_Intel/status/1781326222019932535

024-04-18 (Thursday): #SSLoad infection leads to #CobaltStrike DLL. In this case we saw no follow-up Cobalt Strike C2 traffic. List of indicators available at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-18-IOCs-from-SSLoad-infection-with-Cobalt-Strike-DLL.txt

A #pcap of the #SSLoad infection traffic leading to the #CobaltStrike DLL along with the associated malware/artifacts are available at https://malware-traffic-analysis.net/2024/04/18/index.html

See how the attackers use #IcedID's reverse VNC to buy an iPhone 14 from the Apple Store and then drop #CobaltStrike on the victim machine.
Thanks to @malware_traffic for sharing the #pcap file!
https://netresec.com/?b=23A4de6

" Earth Lusca's New Linux Backdoor: SprySOCKS Unveiled! "

Earth Lusca, a China-linked threat actor, has been spotted employing a novel Linux backdoor, dubbed "SprySOCKS". This malware seems to have evolved from the open-source Windows backdoor Trochilus. The backdoor showcases swift behavior and a SOCKS implementation, hence the name.

SprySOCKS's structure is reminiscent of the RedLeaves backdoor, a RAT known to infect Windows machines. This backdoor is still under development, with different versions observed. Its interactive shell seems to draw inspiration from the Linux variant of the Derusbi malware.

Recent activities of Earth Lusca indicate a focus on Southeast Asia, Central Asia, and the Balkans. Their primary targets? Government departments in foreign affairs, technology, and telecommunications. They've been exploiting server-based N-day vulnerabilities, including CVE-2022-40684, CVE-2022-39952, and more. Once inside, they deploy Cobalt Strike for lateral movement, aiming to exfiltrate sensitive data and conduct long-term espionage.

Source: Trend Micro Research

Tags: #EarthLusca #SprySOCKS #LinuxBackdoor #CyberSecurity #APT #ThreatIntelligence #RedLeaves #Trochilus #CobaltStrike

Power Generator in South #Africa hit with #DroxiDat and #CobaltStrike
https://securityaffairs.com/149432/cyber-crime/power-generator-droxidat.html
#securityaffairs #APT

2023-05-22 (Mon) & 2023-05-23 (Tue): TA577 pushes #Pikabot

2023-05-24 (Wed): TA577 back to pushing #Qabkot (#Qbot)

Pikabot:

- https://malware-traffic-analysis.net/2023/05/22/index.html

- https://malware-traffic-analysis.net/2023/05/23/index.html

Qakbot (TA570 obama264):

- https://malware-traffic-analysis.net/2023/05/24/index.html

I was lucky enough to get #CobaltStrike with the two Pikabot infections, so I wrote tweets for my employer on the bird site.

See the above links for #pcap files, malware samples, IOCs, and links to my employer's tweets for the Pikabot activity.

Latest issue of my curated #cybersecurity and #infosec list of resources for week #20/2023 is out! It includes, but not only:

‣ PoC Tool Exploits Unpatched #KeePass Vulnerability to Retrieve Master Passwords
‣ Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ #Malware
‣ #MalasLocker ransomware targets #Zimbra servers, demands charity donation
‣ 4 Countries Join #NATO Cyber Defense Center
‣ New #ZIP domains spark debate among #cybersecurity experts
‣ Open-source #CobaltStrike port 'Geacon' used in #macOS attacks
‣ #IBM Snaps up DSPM Startup Polar Security
‣ Russian Hacker “Wazawaka” Indicted for #Ransomware
‣ #StopRansomware: BianLian Ransomware Group
‣ Malware turns home routers into proxies for Chinese state-sponsored hackers
‣ ‘FriendlyName’ Buffer Overflow Vulnerability in #Wemo Smart Plug V2
‣ Stealthy MerDoor malware uncovered after five years of attacks
‣ Airline exposes passenger info to others due to a 'technical error'
‣ New 'MichaelKors' Ransomware-as-a-Service Targeting #Linux and #VMware ESXi Systems
‣ Ransomware group claims 2.5 terabytes of stolen data less than a month after emerging online
‣ North Korea funding half its missile program with #cryptocurrency theft and cyberattacks
‣ Former #Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case
‣ #Capita warns customers they should assume data was stolen

#cyberdefense #security #automation #airline #data

This week's recommended reading is: "PowerShell Automation and Scripting for CyberSecurity: Hacking and Defense for Red and Blue Teamers" by Miriam C. Wiesner

Subscribe to the #newsletter to have it piping hot in your inbox every Sunday

https://0x58.substack.com/p/infosec-mashup-week-202023

Tweet I wrote for my employer at the bird site: https://twitter.com/Unit42_Intel/status/1659199751265595392

2023-05-17 (Wednesday): Today, this week's BB28 #Qakbot-style distribution chain pushed #Pikabot instead of Qakbot. Followed up with #CobaltStrike using #DNSTunneling. We later saw additional Cobalt Strike traffic over HTTPS. List of IOCs available at https://github.com/pan-unit42/tweets/blob/master/2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt

A carved #pcap of the infection traffic (removed everything not related to the #Pikabot & #CobaltStrike) and the associated malware/registry updates available at https://malware-traffic-analysis.net/2023/05/17/index.html

MSFT obtains court order to sinkhole Cobalt Strike C&C traffic.

The order lists 16 John Does as

Appendix A of the order identifies the Hosting Companies/Data
Centers Where Defendants
Placed the Command and
Control Servers and the 1000 or so C&C IP addresses.

It also includes the Whois for the ~110 C&C domains.

The contact data for these are redacted or unavailable from the ccTLD operator.

So...

_none_ of the domain registrations yielded the name and contact of a party that could be named as a defendant in the action?

Microsoft's attorneys have filed dozens of orders like this one. Surely they asked for a Whois reveal or asked for billing data.

So...

_none_ of the domain registration BILLING DATA yielded the name and contact of a party that could be named as a defendant in the action?

https://www.databreachtoday.com/microsoft-gets-court-order-to-sinkhole-cobalt-strike-traffic-a-21650

#ransomware #malware #cobaltstrike #c2 #whois #itsalwaysdns #exceptwhenitsIPs

Set aside privacy protection (it can be managed for all natural person's complete and accurate contact data) but share with me:

The cyber crims are working through the holidays, and so are we. Here's Monday's newsletter on all the developments in infosec, just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf

International law enforcement agencies notched up another win last week, having successfully taken down the notorious Initial Access Broker Genesis Marketplace last week - or did they? The site remains active and the admins appear to have gotten away unscathed, so what victory was there to be had?

#Microsoft, in collaboration with #Fortra and the Health ISAC, are commencing work to dismantle infrastructure used by actors abusing cracked versions of the offensive Cobalt Strike framework. It'll be an uphill battle, and it remains to be seen if they can make a dent in the sprawling global footprint achieved by the cyber crim's implant of choice.

Be warned - a PoC exploit has been released for a CVSS 10.0 Sandbox Escape vulnerability impacting the VM2 JavaScript Sandbox, which itself has >16 million monthly downloads on #npm. Researchers have also uncovered a vulnerability in #WiFi APs that could allow hijacking and snooping of client traffic; #Apple patches two actively exploited 0-days in #iOS, #iPadOS and #macOS, and #CISA urges patching of #Zimbra bugs exploited by Russian APTs.

The #redteam have some great tooling and tradecraft to help with Microsoft #MFA enumeration and performing port forwarding on compromised #Cisco gear, while the #blueteam are again spoiled for choice - a new database of exploited drivers, research on abuse of SFX archives for persistence, and threat models for #AWS KMS and CI/CD pipelines - take your pick!

Check out the newsletter and catch all this and much more excellent threat and tradecraft research, to help you gear up for the week ahead:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-744?sd=pf

Happy Easter Monday to everyone lucky enough to be enjoying the holiday, I hope you're all having a great break wherever you are, and a reminder that if you're travelling on the roads, to please drive safe!

Microsoft and cybersecurity firm Forta have joined forces to take down the malicious infrastructure of #CobaltStrike, which is used in large-scale ransomware attacks.

Read: https://www.hackread.com/microsoft-fortra-cobalt-strike-infrastructure/

Happy Monday folks, I hope you had a restful weekend and managed to take a breather from all things cyber! Time to get back into it though, so let me give you hand - catch up on the week’s infosec news with the latest issue of our newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

#Emotet are back and are using…OneNote lures? ISO disk images? Malvertising? Nah – they’re sticking with tier tried and true TTPs – their Red Dawn maldoc template from last year; macro-enabled documents as lures, and null-byte padding to evade automated scanners.

We’ve highlighted a report on the Xenomorph #Android Banking Trojan, which added support for targeting accounts of over 400 banks; automated bypassing of MFA-protected app logins, and a Session Token stealer module. With capabilities like these becoming the norm, is it time to take a closer look at the threat Mobile Malware could pose to enterprise networks?

North Korean hackers have demonstrated yet again that they’re tracking and integrating the latest techniques, and investing in malware development. A recent campaign saw eight new pieces of malware distributed throughout the kill chain, leveraging #Microsoft #InTune to deliver payloads and an in-memory dropper to abuse the #BYOVD technique and evade EDR solutions.

A joint investigation by #Mandiant and #SonicWall has unearthed a two-year campaign by Chinese actors, enabled through exploitation of unpatched SMA100 appliances and delivery of tailored payloads. A critical vulnerability reported by #Fortinet this week helps reinforce the point that perimeter devices need to be patched with urgency, as it’s a well-documented target for Chinese-affiliated actors.

#HiatusRAT is a novel malware targeting #DrayTek routers, sniffing network traffic and proxying C2 traffic to forward-deployed implants. TTPs employed in recent #BatLoader and #Qakbot campaigns are also worth taking note of, as is #GoBruteforcer, a new malware family targeting specific web server applications to brute force logins and deploy an IRC bot for C2.

Those in Vulnerability Management should take particular note of the #Veeam vulnerability, which appears trivial to exploit and actually delivers plaintext credentials to the attacker. CISA have also taken note of nearly 40k exploit attempts of a 2 year old code-exec-as-root vulnerability in the #VMWare Cloud Foundation product in the last two months, so make sure you’re patched against it.

#Redteam members have some excellent reading to look forward to, looking at HTTP request smuggling to harvest AD credentials and persisting with a MitM Exchange server, as well as a detailed post that examines #CobaltStrike’s reflective loading capability;

The #blueteam has some great tradecraft tips from @inversecos on #Azure DFIR, as well as tools to help scan websites for malicious objects, and to combat the new #Stealc #infostealer and well-established Raccoon Stealer.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-09e?sd=pf

This week's #infosec newsletter issue is out! Have a look at it. It includes, but not only:

• CISA warns of actively exploited #Plex bug after #LastPass breach
• Brazil seizing #FlipperZero shipments to prevent use in crime
• #IBM X-Force on defining the #CobaltStrike Reflective Loader
• Security researchers targeted with new #malware via job offers on #LinkedIn
• Alleged NetWire RAT Operator Arrested in Croatia as FBI Seizes Website
• Xenomorph #Android malware now steals data from 400 banks
• #GitHub makes 2FA mandatory next week for active developers
• The #Akuvox E11 door phone/intercom is riddled with security holes
• Custom Chinese Malware Found on #SonicWall Appliance
• Building Great OT Incident Response Tabletop Exercises, by @hacks4pancakes
• Warning: Don't Let #Google Manage Your #Passwords
• #Fortinet warns of new critical unauthenticated RCE #vulnerability
• #Veeam fixes bug that lets hackers breach #backup infrastructure
• AI-Powered '#BlackMamba' Keylogging Attack Evades Modern #EDR Security
• Hard-coded secrets up 67% as secrets sprawl threatens software supply chain
• #Emotet malware attacks return after three-month break

.. And many more. Subscribe to receive it directly in your inbox every Sunday!

#cybersecurity #security #newsletter

https://0x58.substack.com/p/my-shared-links-week-102023

Originally posted at: https://twitter.com/Unit42_Intel/status/1623707361184477185

2023-02-08 (Wednesday) As follow-up to an #IcedID (#Bokbot) infection, I saw a #CobaltStrike stager hosted at hxxp://167.172.154[.]189/b360802.dll with follow-up Cobalt Strike C2 on 79.132.128[.]191:443 using thefirstupd[.]com as its domain.

IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt

Originally posted on Twitter at: https://twitter.com/Unit42_Intel/status/1620531956504055812

2023-01-31 (Tuesday) - #Qakbot (#Qbot) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw #CobaltStrike on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at https://github.com/pan-unit42/tweets/blob/master/2023-01-31-BB12-Qakbot-infection-IOCs.txt

#pcap and malware samples at https://www.malware-traffic-analysis.net/2023/01/31/index.html

VNC traffic on 78.31.67[.]7 port 443.

Overall, this is the same type of Qakbot activity seen last year. The only real difference is the OneNote files.