Dive Into Cobalt Strike

Posted on 2021-05-11 by InQuest Labs Community User

A few days ago, someone uploaded an interesting OLE file to VirusTotal. It abuses the Kaspersky brand, and it is written in Russian and English language. Unfortunately, the original document uses a coercive lure, and the macros contain logic to download weaponized artifacts.

File Type: Microsoft Windows Document
MD5 at InQuest Labs: 3272df3f79a0fa8c2ba601c4771b99e4


Image 1: 3272df3f79a0fa8c2ba601c4771b99e4 document lure

At the time of submission, the document had low consensus on AV detection.


Image 2: Shallow AV detection

According to VirusTotal, someone using TOR submitted the file on May 7th, 2021. The original file's name is "Поздравление.doc" Which translated to English means "Congratulations.doc"

A quick analysis shows that the document contains macros with functionality to drop new artifacts to the system:


Image 3: Base64 Encoded String

Decoding the URL that was hardcoded in the file results in hxxp://176.10.125[.]23:8000/headerelement[.]jpg

According to public Whois data, it's a server located in Switzerland and belongs to a hosting company.

Shortly after the initial attack, the threat actor removed the file 2nd stage malware. However, we were able to get it before they wiped it out from the Internet.

The executable file contains a large block of ciphertext. It's decrypted during execution using the AES-256(CBC) algorithm. The encryption key is also hardcoded in the payload.

File Type: PE32+ executable for MS Windows (GUI) Mono/.Net assembly
MD5: ACFBDC828CE6D121CDAEE18A29084A5A


Image 4: Hardcoded key


Image 5: Decrypt Function

Now with the key on hand, it drops to the system the final payload.


Image 6: Decrypting Payload


Image 7: Final Payload

File Type: Portable Executable 32
MD5: 42DE14F600C0C73F10DFAFE2A34BC8FC


Image 8: Executing shellcode in process memory

The executable file is obfuscated and the payload is executed exclusively as a decrypted shellcode. Static analysis shows that some of the data is encoded using xor 0x2E. This encoding is indicitive of Cobalt Strike.


Image 9: Configuration of encrypted xor 0x2E

{
"BeaconType": [ "HTTP"
],
"Port": 80,
"SleepTime": 45000,
"MaxGetSize": 1864877,
"Jitter": 43,
"C2Server": "176.10.125.23,/mobile.js", "HttpPostUri": "/staff", "Malleable_C2_Instructions": [
"Remove 737 bytes from the beginning", "Base64 decode",
"Base64 decode"
],
"SpawnTo": "idYKSm+iuVOAjCzm9Iy8bw==", "HttpGet_Verb": "GET",
"HttpPost_Verb": "POST", "HttpPostChunk": 0,
"Spawnto_x86": "%windir%\\syswow64\\svchost.exe -k secsvcs", "Spawnto_x64": "%windir%\\sysnative\\svchost.exe -k secsvcs", "CryptoScheme": 0,
"Proxy_Behavior": "Use IE settings", "Watermark": 1639584573, "bStageCleanup": "True", "bCFGCaution": "False",
"KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 5517, "ProcInject_PrependAppend_x86": [ "QkpFTUpCQko=",
"Empty"
],
"ProcInject_PrependAppend_x64": [ "/8D/yP/A/8g=",
"Empty"
],
"ProcInject_Execute": [ "ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"
],
"ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True",
"HostHeader": ""
}

IOCs:
42DE14F600C0C73F10DFAFE2A34BC8FC
3272df3f79a0fa8c2ba601c4771b99e4
176.10.125[.]23/mobile.js

Conclusion:
Targeted attacks using the Cobalt Strike penetration tool are occurring more and more frequently. Analysts need to know precisely how such campaigns are carried out to protect their clients and ensure the information security of their corporate networks.

Tags
guest malware-analysis