Tag: Cobalt | SpinSafe

Microsoft SQL servers hijacked to deliver Cobalt Strike and ransomware

September 4, 2023/in Internet Security

Unknown threat actors are targeting poorly protected Microsoft SQL servers, in an attempt to infect them with a new strain of ransomware.

A new report from cybersecurity researchers Securonix outlines a campaign in which hackers first try to brute-force their way into MS SQL servers.

When they succeed, they do a number of things, including the deployment of a Cobalt Strike beacon, lateral movement across the target network and endpoints, and ultimately – the deployment of a ransomware strain called FreeWorld.

FreeWorld ransomware

FreeWorld seems to be a variant of a known encryptor called Mimic. While the goal of the campaign is as expected (stealing sensitive data and encrypting the endpoints) the way the hackers use the tools and infrastructure to get there is quite unique. Securonix explained in its writeup, saying: “Some of these tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally ransomware payloads.”

The success of the campaign depends exclusively on the strength of the password used to protect an MS SQL server, the researchers concluded. “It’s important to emphasize the importance of strong passwords, especially on publicly exposed services.” After all, it’s the servers with weak passwords that ended up being compromised.

Ransomware is one of the most popular types of cybercrime out there. After a relatively peaceful 2022, this year the number of ransomware attacks skyrocketed, figures from Coveware have shown. At the same time, awareness among potential victims is growing, resulting in fewer organizations paying the ransom demand. The percentage of compromised organizations that ended up paying the ransom demand fell to a record low of 34%, the same source claims.

Those that did pay – ended up paying quite a lot. The average amount surpassed $700,000, up 126% compared to Q1 2023.

Via: TheHackerNews

Source…

Hackers Alter Cobalt Strike Beacon to Target Linux Environments

September 17, 2021/in Computer Security

A significant part of hacking consists of diverting the function of existing systems and software, and hackers often use legitimate security tools to perform cyber attacks.

Pentesting tool Cobalt Strike has been one such target, but what happened recently with a Red Hat Linux version of the Cobalt Strike Beacon is worthy of note. According to cybersecurity researchers, it could be the work of an advanced threat actor.

How is Cobalt Strike Beacon Used in Cyberattacks?

Cobalt Strike is an exploitation platform. The idea is to emulate attacks from advanced adversaries and potential post-exploitation actions.

You can see it as a framework used by security teams for test purposes and threat groups. The software creates connections (using Cobalt Strike servers) to attack networks. In addition, it contains tons of components that are pretty convenient and customizable.

The beacon is the client. That’s why attackers have to install it on the targeted machine, which usually happens after exploiting a vulnerability. If the attack succeeds, hackers can maintain a persistent connection between the beacon and Cobalt Strike rogue servers, sending data periodically.

A New Variant of Cobalt Strike

Cobalt Strike Beacon Linux enables emulation of advanced attacks to a network over HTTP, HTTPS, or DNS.

It provides a console where you can open a beacon session and enter specific commands. The console returns command output and other information. Users get access to a status bar and various menus that extract information and interact with the target’s system.

Beacon’s shell commands are handy for performing various injections, remote command executions, and unauthorized uploads and downloads.

The skilled hackers who implemented this Linux variant achieved tremendous success. Their version has a scary ability to remain undetected. It can get disk partitions, list, write and upload files, and execute commands as well.

The malware has been renamed Vermilion. The name vermillion came from the Old French word vermeillon, which was derived from vermeil, from the Latin vermiculus, the diminutive of the Latin word vermis, or worm.

How Does a Beacon Attack Work?

The Cobalt Strike’s Command and Control…

Source…

SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader

January 19, 2021/in Computer Security

The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

Sunspot, the initial malware used to inject backdoors into the Orion platform builds
Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level..

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers…

Source…

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

December 28, 2020/in Computer Security

malware

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.

This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

Multiple researchers have linked this strain to MuddyWater (aka SeedWorm and TEMP.Zagros), a government-backed advanced persistent threat (APT) group, first observed in 2017 while mainly targeting Middle Eastern entities.

Word macro spins up PowerShell script hosted on GitHub

This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.

The malware strand which looks “like MuddyWater,” according to the researcher, ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group.

In tests by BleepingComputer, when the Word document is opened, it runs the embedded macro. The macro further launches powershell.exe and feeds it the location of a PowerShell script hosted on GitHub.

Word Macro with link to GitHub — **Macro script embedded within the malicious Word doc**
Source: BleepingComputer

The single-line PowerShell script has instructions to download a real PNG file (shown below) from the image hosting service Imgur.

While this image itself may be benign, its pixel values are used by the PowerShell script in calculating the next stage payload, a technique known as steganography.

Malware calculates next stage payload by decoding the image pixel values — **Malware calculates the next stage payload by decoding the pixel values within this image**
Source: Imgur

As observed by BleepingComputer and shown below, the payload calculation algorithm runs a foreach loop to iterate over a set of pixel values within the PNG image and performs specific arithmetic operations to obtain functional ASCII commands.

imgur payload download — **PowerShell script hosted on GitHub downloads PNG from Imgur and uses it to calculate the payload**
Source: BleepingComputer

Decoded script executes Cobalt Strike payload

The decoded script obtained from manipulating the PNG’s pixel values is a Cobalt Strike script.

Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy “beacons” on compromised devices to remotely “create shells,…

Source…

Tag Archive for: Cobalt

How is Cobalt Strike Beacon Used in Cyberattacks?

A New Variant of Cobalt Strike

How Does a Beacon Attack Work?

Disguised as 7-Zip file to load Cobalt Strike

Word macro spins up PowerShell script hosted on GitHub

Decoded script executes Cobalt Strike payload