Dive Into Cobalt Strike

A few days ago, someone uploaded an interesting OLE file to VirusTotal. It abuses the Kaspersky brand, and it is written in Russian and English language. Unfortunately, the original document uses a coercive lure, and the macros contain logic to download weaponized artifacts. File Type: Microsoft Windows Document MD5 at InQuest Labs: [3272df3f79a0fa8c2ba601c4771b99e4](

KasperSky notification
Image 1: 3272df3f79a0fa8c2ba601c4771b99e4 document lure

At the time of submission, the document had low consensus on AV detection.

File flagged by 4 vendors as malicious
Image 2: Shallow AV detection

According to VirusTotal, someone using TOR submitted the file on May 7th, 2021. The original file’s name is “Поздравление.doc” Which translated to English means “Congratulations.doc” A quick analysis shows that the document contains macros with functionality to drop new artifacts to the system:

Code screenshot
Image 3: Base64 Encoded String

Decoding the URL that was hardcoded in the file results in hxxp://176.10.125[.]23:8000/headerelement[.]jpg According to public Whois data, it’s a server located in Switzerland and belongs to a hosting company. Shortly after the initial attack, the threat actor removed the file 2nd stage malware. However, we were able to get it before they wiped it out from the Internet. The executable file contains a large block of ciphertext. It’s decrypted during execution using the AES-256(CBC) algorithm. The encryption key is also hardcoded in the payload. File Type: PE32+ executable for MS Windows (GUI) Mono/.Net assembly MD5: ACFBDC828CE6D121CDAEE18A29084A5A

Code screenshot
Image 4: Hardcoded key
Code screenshot
Image 5: Decrypt Function

Now with the key on hand, it drops to the system the final payload.

Code screenshot
Image 6: Decrypting Payload
Code screenshot
Image 7: Final Payload

File Type: Portable Executable 32 MD5: 42DE14F600C0C73F10DFAFE2A34BC8FC

Code screenshot
Image 8: Executing shellcode in process memory

The executable file is obfuscated and the payload is executed exclusively as a decrypted shellcode. Static analysis shows that some of the data is encoded using xor 0x2E. This encoding is indicitive of Cobalt Strike.

Code screenshot
Image 9: Configuration of encrypted xor 0x2E
 { "BeaconType": [ "HTTP" ], "Port": 80, "SleepTime": 45000, "MaxGetSize": 1864877, "Jitter": 43, "C2Server": ",/mobile.js", "HttpPostUri": "/staff", "Malleable_C2_Instructions": [ "Remove 737 bytes from the beginning", "Base64 decode", "Base64 decode" ], "SpawnTo": "idYKSm+iuVOAjCzm9Iy8bw==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\syswow64\svchost.exe -k secsvcs", "Spawnto_x64": "%windir%\sysnative\svchost.exe -k secsvcs", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1639584573, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 5517, "ProcInject_PrependAppend_x86": [ "QkpFTUpCQko=", "Empty" ], "ProcInject_PrependAppend_x64": [ "/8D/yP/A/8g=", "Empty" ], "ProcInject_Execute": [ "ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread" ], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "" } 




Targeted attacks using the Cobalt Strike penetration tool are occurring more and more frequently. Analysts need to know precisely how such campaigns are carried out to protect their clients and ensure the information security of their corporate networks.