Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cobalt Strike. Show all posts
PowerShell
Cobalt Strike GootLoader JavaScript exploit malware PowerShell

Novel GootLoader Malware Strain Bypasses Detection and Spreads Quickly

 

GootBot, a new variant of the GootLoader malware, has been detected to enable lateral movement on compromised systems and avoid detection.

Golo Mühr and Ole Villadsen of IBM X-Force said that the GootLoader group introduced their own custom bot into the final stages of their attack chain in an effort to evade detection while employing commercial C2 tools like CobaltStrike or RDP.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads," the researchers explained. 

As its name suggests, GootLoader is a malware that can lure in potential victims by employing search engine optimisation (SEO) poisoning techniques, and once inside, it can download more sophisticated malware. It is linked to a threat actor known as UNC2565, also tracked as Hive0127. 

The use of GootBot suggests a change in strategy from post-exploitation frameworks like CobaltStrike, with the implant being downloaded as a payload following a Gootloader infection.

GootBot, which is described as an obfuscated PowerShell script, is designed to connect to a WordPress website that has been compromised in order to take control of it and issue commands. The use of an alternate hard-coded C2 server for every deposited GootBot sample complicates matters even more and makes it challenging to block malicious traffic. 

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers added.

An obfuscated JavaScript file included in the archive file is executed by a scheduled task to retrieve another JavaScript file for persistence. 

The second stage involves the engineering of JavaScript to execute a PowerShell script that collects system information and exfiltrates it to a remote server. The server then responds with another PowerShell script that runs indefinitely and gives the threat actor the ability to disperse different payloads. 

Among them is GootBot, which sends out beacons to its C2 server once every 60 seconds to retrieve PowerShell tasks to be executed and sends back HTTP POST requests to the server with the results of the execution. GootBot's other skills include reconnaissance and lateral movement, which let it effectively increase the attack's range.
Read more »
ransomware attacks
Cobalt Strike Cyber Attacks DB#JAMMER FreeWorld Ransomware Microsoft MS SQL servers ransomware attacks

Threat Actors Exploits SQL Servers to Deploy FreeWorld Ransomware


Threat actors are exploiting vulnerable Microsoft SQL servers, deploying Cobalt Strike and a ransomware strain named FreeWorld. 

According to cybersecurity firm Securonix, the campaign is notable for the way its infrastructure and toolkit are used. The firm has named the campaign DB#JAMMER.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads[…]The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," says security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a technical breakdown of the activity.

The attackers first gain access to the victim host by brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance.

Next, they take certain steps to disable system firewall in order to develop persistence and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the targeted system.

This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.

The researchers concluded, "The attack initially succeeded as a result of a brute force attack against a MS SQL server[…]It's important to emphasize the importance of strong passwords, especially on publicly exposed services"

According to figures released by Coveware in July 2023, the year has seen a record-breaking increase in ransomware assaults following a calm in 2022, even if the proportion of instances that ended in the victim paying has decreased to a record-low of 34%. 

The reports also noted that on an average, the in hand amount paid as ransom in a ransomware has hit a whopping $740,144, 126% from Q1 2023. 

Moreover, fluctuations in monetization rates have synchronized well with the developments in extortion tradecraft executed by ransomware threat actors, disclosing specifics of their attack methods to demonstrate why the victims are ineligible for a cyber insurance claim. 

"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.

Read more »
Online Safety
Cobalt Strike Cyber Attacks macOS Products Malicious Payload Online Safety

Hackers Target Apple macOS Systems with a Golang Version of Cobalt Strike

 

Threat actors intending to attack Apple macOS systems are likely to pay attention to Geacon, a Cobalt Strike implementation written in the Go programming language. 

The details were accumulated by SentinelOne, which noticed an increase in the quantity of Geacon payloads that have been showing up on VirusTotal lately. 

"While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss explained in a report. 

Red teaming and adversary simulation tool Cobalt Strike was created by Fortra and is well recognised. Illegally cracked versions of the software have been abused by threat actors throughout the years due to its numerous post-exploitation features. While Cobalt Strike's post-exploitation activities mostly targeted Windows, assaults against macOS are rather uncommon. 

A malicious Python package called "pymafka" was created to install a Cobalt Strike Beacon on infected Windows, macOS, and Linux computers. Sonatype, a software supply chain company, revealed details of this package in May 2022. 

The discovery of Geacon artefacts in the wild, however, could alter that. Since February 2020, GitHub has hosted Geacon, a Go version of Cobalt Strike. Additional investigation into two fresh VirusTotal samples posted in April 2023 has linked them to two Geacon versions (geacon_plus and geacon_pro) created in late October by two unidentified Chinese developers, z3ratu1 and H4de5. The geacon_pro project is no longer available on GitHub, but a snapshot from the Internet Archive on March 6, 2023 shows that it can get past antivirus programmes including Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal. 

While geacon_plus supports CobaltStrike versions 4.0 and after, the tool's creator, H4de5, asserts that geacon_pro is primarily meant to handle CobaltStrike versions 4.1 and later. The software is currently at version 4.8. 

One of the artefacts found by SentinelOne, Resume_20230320.app by Xu Yiqing, uses a run-only AppleScript to connect to a remote server and download a Geacon payload. Both Apple silicon and Intel architectures are compatible with it. 

"The unsigned Geacon payload is retrieved from an IP address in China," the researchers explained. "Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named 'Xu Yiqing.'"

The Geacon binary, created by compiling the geacon_plus source code, includes a wide range of features that enable it to download next-stage payloads, exfiltrate data, and improve network connections. 

The second copy is reportedly included into a trojanized app that poses as the SecureLink remote assistance app (SecureLink.app) and primarily targets Intel devices, according to the cybersecurity firm. 

The basic, unsigned programme asks users for permission to access contacts, pictures, reminders, as well as the camera and microphone on the smartphone. The Geacon payload from the geacon_pro project, which connects to a known command-and-control (C2) server in Japan, is the core element of the attack.
Read more »
Ransomware
Cobalt Strike Cyber Attacks Cyberfrauds Cybersecurity Domino IBM malware Ransomware

Domino Backdoor Malware Created by FIN7 and Ex-Conti

 


Members of the now-defunct Conti ransomware gang have been using a new strain of malware developed by threat actors likely affiliated with the FIN7 hacking group. This suggests that the two teams collaborated in the malware development, indicating a cooperative effort. 

In the past month, IBM discovered an innovative malware family known as "Domino," which was developed by ITG14, aka FIN7, one of the most notorious cybercrime groups in the world. A lesser-known information stealer that has been advertised for sale on the dark web since December 2021 is included in Domino, which facilitates further exploitation of compromised systems.

Research by the X-Force team revealed that in May, when the Conti gang was disbanded, Conti threat actors began using Domino. This was about four months after FIN7 started using Domino in October last year.  

The newly discovered Trojan horse, "Domino," has been used by a Trickbot/Contini gang, ITG23, since February 2023, according to X-Force. 

Domino's code overlaps Lizar malware, previously linked to the FIN7 group, which IBM has discovered, according to an IBM research report. There are also similarities between malware families in terms of their functionality, configuration structure, and formats used for handling bots. 

In some recent campaigns, IBM's security researchers reported that Lizar, also known as Tirion and Dice Loader, may have been used instead of Lizar for attacks between March 2020 and late 2022. 

According to IBM researchers, there have been attacks using a malware loader, known as Dave Loader, which was previously used by Conti ransomware and TrickBot members in the fall of 2022. 

In attacks against the Royal and Play ransomware operations carried out by ex-Conti members, it was observed that this loader was deploying Cobalt Strike beacons that used a '206546002' watermark. 

Former members of ITG23 could be behind the recent cyberattacks that are believed to have been carried out using the Dave Loader to inject the Domino Backdoor. 

ITG14, also known as FIN7, is a prolific Russian-speaking cybercriminal syndicate that is known for employing a variety of custom malware to deploy additional payloads to increase their monetization methods and enlarge their distribution channels. 

There is a 64-bit DLL called Domino Backdoor, which will enumerate system information, such as the names and statuses of processes, usernames, and computers, and send that information back to the attacker's Command & Control server, where it can be analyzed. Backdoors receive commands to be executed, and they can also be delivered in the future. 

An observation was made that the backdoor had downloaded an additional loader, Domino Loader, that installed an embedded information-stealer calling itself 'Nemesis Project.' Additionally, it could plant a Cobalt Strike beacon to ensure the backdoor was not identified as a backdoor. 

A Conti loader called "Dave" was used by the threat actors during the campaign to drop FIN7's Domino backdoor on the endpoints. The backdoor was able to gather basic information about the system at hand and send it to a command and control server (C2). 

Upon being hacked, the C2 returned to the compromised system a payload that was encrypted with AES. It was found in many cases that the encrypted payload was another loader with several code similarities to the initial backdoor used by Domino. On the compromised system, either the Cobalt Strike info stealer or the Project Nemesis info stealer was installed by the Domino loader to complete the attack chain. 

The majority of threat actors, especially those who use ransomware to spread malware and gain access to corporate networks, partner with other threat groups to distribute malware. There is now little distinction between malware developers and ransomware gangs as the lines between them have gotten blurry over the years, making it difficult to distinguish between them. 

It was only a matter of time before the lines between TrickBot and BazarBackdoor became blurred as the Conti cybercrime syndicate, based in Rome, assumed control over both sites' development for its exploitation. 

According to Microsoft, a threat actor called DEV-0569 published intrusions committed in November 2022 that incorporated BATLOADER malware for delivering Vidar, and Cobalt Strike ransomware, and the latter eventually enabled the human-operated ransomware attacks that distributed Royal in December 2022. 

As the world of cybersecurity becomes increasingly shady, things are getting a bit murky. The issue of distinguishing malware developers from ransomware gangs is becoming increasingly difficult as time goes by.
Read more »
RMM Software
Artificial Intelligence Cobalt Strike Cyber Security Digital Footprint Malicious actor Remote Access Tool RMM Software

Hackers Exploit Action1 RMM in Ransomware Attacks

 

Remote Monitoring and Management (RMM) tools are an essential part of IT management, allowing businesses to remotely monitor and manage their IT systems. However, recent reports indicate that hackers increasingly target RMM tools to launch ransomware attacks against businesses.

One RMM tool specifically targeted is Action1, a cloud-based endpoint management platform. Hackers have been exploiting vulnerabilities in the platform to gain unauthorized access to systems and launch ransomware attacks.

According to a tweet by Kostas Tsartsaris, an information security researcher, attackers have been abusing Action1 RMM to deploy Cobalt Strike and other malicious payloads. Cobalt Strike is a powerful penetration testing tool that has been repurposed by hackers for use in ransomware attacks.

Businesses can turn to Digital Forensics and Incident Response (DFIR) services to prevent and respond to such attacks. These services allow businesses to quickly identify and respond to cybersecurity incidents, including ransomware attacks.

In response to the rising threat of ransomware, Action1 has unveiled an AI-based threat-hunting solution. This solution uses machine learning algorithms to detect and respond to potential security threats in real-time.

While RMM tools are essential for IT management, businesses must be aware of the potential security risks associated with them. By implementing robust security measures, such as DFIR services and AI-based threat hunting solutions, businesses can help to protect their systems and data from ransomware attacks and other cyber security threats.

It is important for businesses to remain vigilant and proactive in their approach to cyber security. By staying up-to-date with the latest security trends and implementing best practices, businesses can help to mitigate the risks of cyber-attacks and protect their valuable data.
Read more »
Russian Hackers
Cobalt Strike MaaS malware Phishing Attacks Ransomware Attacks. Russian Hackers

eSentire: Golden Chickens Malware's Attacker Uncovered

The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens. 

The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.

The 'Chuck from Montreal' identity used by the second threat actor Frapstar allows the cybersecurity company to link together the criminal actor's online trail.

The malware-as-a-service (MaaS) provider Golden Chickens is associated with several tools, including the JavaScript downloader More Eggs and the malicious document creator Taurus Builder. Previous More eggs efforts, some of which date back to 2017, involved spear-phishing executives on LinkedIn with phony job offers that gave threat actors remote control over victim devices, allowing them to use them to gather data or spread more malware.

By using malware-filled resumes as an infection vector, the same strategies were used last year to target corporate recruiting supervisors. The first known instance of Frapster's activities dates back to May 2015, at which point Trend Micro referred to him as a 'lone criminal' and a luxury automobile fanatic.

According to eSentire, one of the two threat actors believed to be behind the badbullzvenom account on the underground forum Exploit.in maybe Chuck, with the other person probably residing in Moldova or Romania. Recruiters are being duped into downloading a malicious Windows shortcut file from a website that poses as a résumé in a new assault campaign that targets e-commerce businesses, according to a Canadian cybersecurity company.

By highlighting Golden Chickens' multi-layer architecture and the MaaS's multi-client business model, researchers stress the challenges of performing accurate attribution for cyberattacks.


Read more »
Russia
Cobalt Strike Cyber Attacks DDOS Attack Ransomware Gang Russia

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.
Read more »
Hades Ransomware
Cisco Cobalt Strike Cyber Security Hades Ransomware

Infrastructure Used in Cisco Hack is the same used to Target Workforce Management Solution Firm


Hackers Attack Organization using Cisco Attack Infrastructure 

Experts from cybersecurity firm eSentire found that the attack infrastructure used in recent Cisco hack was also used in targeting a top Workforce management corporation in April 2022. 

They also observed that the attack was executed by a threat actor called as mx1r, who is an alleged member of the Evil Corp affiliate cluster called UNC2165.

What is UNC2165?

The UNC2165 is in action since 2019, it was known for using the FAKEUPDATES infection chain (aka UNC1543) to get access to victims' networks. 

Experts observed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections which were used to execute BITPAYMER or DOPPELPAYMER in the final stage of the attack. 

Hades ransomware was also used

Earlier, the UNC2165 actors also used the HADES ransomware. As per eSentire, the hackers accessed the workforce management corporation's IT network via stolen Virtual Private Network (VPN) credentials. 

The experts found various underground forum posts, from April 2022, where mx1r was looking for VPN credentials for high-profile organizations. 

They also found posts on a Dark Web access broker auction site where a threat actor was buying VPN credentials for big U.S companies. 

Experts also find Cobalt Strike 

The researchers also discovered the attackers attempting to move laterally in the network via a set of red team tools, this includes Cobalt strike, network scanners, and Active Domain crawlers. 

The attackers used Cobalt Strike and were able to have initial foothold and hands-on-actions were quick and swift from the time of initial access to when the attacker could enlist their own Virtual Machine on the target VPN network. 

eSentire researchers also noticed the attacker trying to launch a Kerberoasting attack (cracking passwords in Windows Active Directory via the Kerberos authentication protocol) which is also in line with the TTPs of the Evil Corp affiliate/UNC2165. 

eSentire experts discovered the attack

TTPs of the attack that attacked the workforce management corporation are similar with Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been found using Hive and Yanlukwang ransomware. eSentire traces this infrastructure cluster as HiveStrike. 

"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand,” eSentire report concludes. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”



Read more »
Subscribe to: Posts (Atom)