COBALT STRIKE ATTACKS

By John Limb, CTO at Braintrace
November 17, 2020 9:20 am ET

In the past few weeks, we have seen a significant increase in malicious attacks by bad actors using Cobalt Strike. Cobalt Strike is a legitimate tool used to give penetration testers access to many different attack capabilities. The issue lies when this toolkit gets into the wrong hands. Predominantly we have been seeing Cobalt Strike deploy an agent named “Beacon” for post-exploitation. Deploying this successfully can lead to a Ryuk Ransomware attack.

This week, BraintraceLABS is reporting Cobalt Strike as the most seen malware. Cobalt Strike enters the network in various ways, including via malware like BazarLoader. Malware can be installed with different tricks. The most common way is when the victim is tricked into clicking on a phishing campaign and downloads a file, which can be Word or Excel file. Then the user is tricked into enabling a macro. Once the macro is enabled, the malware will get into the network.

According to Microsoft, Cobalt Strike is being deployed through online ads claiming to be a Microsoft Teams update. The bad actor tricks the victim into clicking on a fake online ad. These advertisements will send the victim to an online domain under the control of the bad actor. When the victim clicks on the link, a download will begin. Instead of receiving the update, the user will download the payload, which can contain Cobalt Strike.

Dragonfly Encrypted Payload Analytics (EPA) prediction model identifies Cobalt Strike Beacon communications.

Braintrace’s Dragonfly is reporting the below C2 indicators of compromise for Cobalt Strike.

IP Address Web Hostname Country AS Label AS Number
31.44.184.131 31[.]44[.]184[.]131 Russia Petersburg Internet Network ltd. 44,050
173.234.155.227 livenx[.]com United States Leaseweb USA, Inc. 396,362
108.62.118.217 stylesam[.]com United States Leaseweb USA, Inc. 30,633
23.106.160.84 epicnut[.]com United States Leaseweb USA, Inc. 7,203
23.83.133.125 sslcar[.]com United States Leaseweb USA, Inc. 19,148
74.118.138.107 beltpost[.]com United States TeraSwitch Networks Inc. 20,326
81.17.28.105 idrivehelper[.]com Switzerland Private Layer INC 51,852
REACH OUT TO US
If you have any questions or concerns, please feel free to contact us at info@braintrace.com.