Cybereason Labs Analysis Operation Cobalt Kitty-Part1
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
Attack Lifecycle
By: Assaf Dahan
Penetration phase
Fake Flash Installer delivering Cobalt Strike Beacon
Word File with malicious macro delivering Cobalt Strike Beacon
Post infection execution of scheduled task
Establishing foothold
Windows Registry
Windows Services
Scheduled Tasks
Outlook Persistence
C2 Communication
Cobalt Strike Fileless Infrastructure (HTTP)
C&C payloads
Cobalt strike Malleable C2 communication patterns
Variant of Denis Backdoor using DNS Tunneling
Outlook Backdoor Macro as C2 channel
Custom NetCat
Internal reconnaissance
Internal Network Scanning
Information gathering commands
Vulnerability Scanning using PowerSploit
Lateral movement
Obtaining credentials
Mimikatz
Gaining Outlook credentials
Pass-the-hash and pass-the-ticket
Propagation via Windows Admin Shares
Windows Management Instrumentation (WMI)
1. Penetration
2. Foothold and persistence
3. Command & control and data exfiltration
4. Internal reconnaissance
5. Lateral movement
1. Link to a malicious site that downloads a fake Flash Installer delivering Cobalt Strike
Beacon
2. Word documents with malicious macros downloading Cobalt Strike payloads
The malicious macro creates two scheduled tasks that download files camouflaged as “.jpg”
files from the C&C server:
Scheduled task 1:
That downloads and executes an additional payload from the same server with a slightly
different name “microsoft.jpg”.
Quick memory analysis of the payload reveals that it is a Cobalt Strike Beacon, as seen in the
strings found in the memory of the PowerShell process:
Cybereason observed another method of Cobalt Strike Beacon delivery in infected machines.
©2017 Cybereason Inc. All rights reserved. 6
Once the initial PowerShell payload is downloaded from the server, it will pass an obfuscated
and XOR’ed PowerShell payload to cmd.exe:
The PowerShell process will then download the new ‘image.jpg’ payload, which is actually
another obfuscated PowerShell payload:
image.jpg - 9394B5EF0B8216528CED1FEE589F3ED0E88C7155
2. Establishing foothold
Gaining persistence is one of the attack’s most important phases. It insures that the malicious
code will run automatically and survive machine reboots.
The attackers used trivial but effective persistence techniques to ensure that their malicious
tools executed constantly on the infected machines. Those techniques consist of:
● Windows Registry Autorun
● Windows Services
● Windows Scheduled Tasks
©2017 Cybereason Inc. All rights reserved. 8
2.1. Windows Registry
The attackers used the Windows Registry Autorun to execute VBScript and PowerShell scripts
residing in the ProgramData folder, which is hidden by default:
The purpose of those .vbs scripts was to launch Cobalt Strike PowerShell scripts mainly
consisting of Cobalt Strike Beacon. Some of the files found in ProgramData appear to be .txt
files. However, their content is VBscript.
In addition, the attackers used NTFS Alternate Data Stream to hide their payloads. This is a
rather old trick to hide data from the unsuspecting users and security solutions.
The code inside the ‘hidden’ .txt file launches a PowerShell process with a base64-encoded
command:
This launches a PowerShell script, which loads an obfuscated and encoded Cobalt Strike’s
beacon payload:
©2017 Cybereason Inc. All rights reserved. 9
2.2. Windows Services
The attackers created and/or modified Windows Services to ensure the loading of the
PowerShell scripts on the compromised machines. These scripts are mostly PowerShell-
encoded Cobalt Strike’s Beacon payloads:
The attackers placed a fake “msfte.dll” under the system32 folder, where the vulnerable
©2017 Cybereason Inc. All rights reserved. 10
applications reside by default. This ensured that the fake “msfte.dll” would be loaded each time
Wsearch launched these applications:
For further details about the backdoor, please refer to Cobalt Kitty Attacker’s Arsenal: Deep dive
into the tools used in the APT.
PowerShell Loader:
Google Update:
©2017 Cybereason Inc. All rights reserved. 11
The attackers exploited a DLL hijacking vulnerability in a legitimate Google Update binary,
which was deployed along with a malicious DLL (goopdate.dll). By default, GoogleUpdate.exe
creates a scheduled task that checks if a new version of Google products is available.
As a result, each time GoogleUpdate.exe application ran, it automatically loaded the malicious
goopdate.dll:
For further details about the backdoor, please refer to Cobalt Kitty Attacker’s Arsenal: Deep dive
into the tools used in the APT.
C&C payloads
Following are a few examples of C&C payloads used as part of the fileless payload delivery
infrastructure.
A .pcap file that was recorded during the execution of the Cobalt Strike payloads clearly shows
the usage of the Malleable C2 profiles, in that case - the “safebrowsing.profile”:
By communicating with known DNS servers, the attackers ensured that the backdoor’s traffic
will not be filtered by firewalls and other security products since it’s unlikely for most
organizations to block OpenDNS and Google’s DNS servers.
Example of DNS tunneling can be seen in this instance of ARP.exe that was spawned by
searchindexer.exe, which loaded the fake msfte.dll:
During the third phase of the attack, the attackers used an advanced technique that turned
Microsoft Outlook into a C2 channel by replacing the email program’s original VbaProject.OTM
macro container with a malicious one containing a backdoor functionality. Using this backdoor,
the attackers managed to send system commands via emails from a Gmail address and
exfiltrate data.
The decoded malicious macro is loaded after boot and constantly looks for incoming emails
containing the strings $$cpte and $$ecpte.
The attacker’s command embed their commands between those two strings.
©2017 Cybereason Inc. All rights reserved. 20
The same technique was used to steal and exfiltrate sensitive company data, as seen in the
screenshots below:
The command lines of the following cmd.exe instances clearly show that the attackers were
gathering information and exfiltrating specific documents:
In addition, examining the command line arguments reveals that the attackers also were aware
of the proxy server deployed in the environment and configured the IP and port accordingly to
allow them external connection to the C&C server:
4. Internal reconnaissance
After the attackers established a foothold on the compromised machines and established C2
communication, they scanned the network, enumerated machines and users and gathered more
information about the environment.
As the screenshot below shows, the attackers launched port scanning against common ports:
The following are a few examples of command line arguments that were used to gather
information on the infected hosts and the network:
Command Purpose
net localgroup administrators Enumerating admin users
©2017 Cybereason Inc. All rights reserved. 23
net group "Domain Controllers" /domain Enumerating DC servers
klist tickets Displaying Kerberos Tickets
dir \\[IP_redacted]\c$ Displaying files on net share
netstat -anpo tcp Displaying TCP connections
ipconfig /all Displaying Network adapter information
ping [hostname_redacted] -n 1 Pinging a host
net view \\[redacted] /all Shows all shares available, including
administrative shares like C$ and admin$
netsh wlan show interface Displaying Wireless adapter properties
route print Displaying a list of persistent routes
WHOAMI Outputs the owner of the current login session
(local, admin, system)
WMIC path win32_process get Searching for the process ID of OUTLOOK, in
Caption,Processid,Commandline | findstr order to restart it, so it would load the
OUTLOOK malicious vbaproject.otm file
Once the Cobalt Strike Beacon was installed, the attackers attempted to find privilege escalation
vulnerabilities that they could exploit on the compromised hosts. The following example shows a
command that was run by a spawned PowerShell process:
5. Lateral movement
The attackers compromised more than 35 machines, including the Active Directory server, by
using common lateral movement techniques including pass-the-hash and pass-the-ticket and
Windows applications such as net.exe and WMI.
The attackers mainly used Mimikatz, which was customized in a way that ensured antivirus
products wouldn’t detect it.
5.1.1. Mimikatz
The main tool used to obtain credentials from the compromised machines was a obfuscated and
sometimes slightly modified versions of Mimikatz, a known password dumping tool, whose
source code is freely available on GitHub. The attackers used at least 14 different versions of
Mimikatz using different techniques to evade antivirus detection:
The attackers used a modified version of a publicly available tool called PSUnlock to bypass the
PowerShell execution restrictions. Here’s an example of this tool being used:
rundll32 C:\ProgramData\PShdll35.dll,main -f C:\ProgramData\doutlook.ps1
The attackers managed to compromise a domain admin account. Using the compromised
administrative account, the attackers moved laterally, deployed their tools and mass-infected
other machines. More instances of lateral movements were observed using other compromised
accounts during the different stages of the attack.
Backdoors
Msfte.dll be6342fc2f33d8380e0ee5531592e9f676bb1f94
------------- 638b7b0536217c8923e856f4138d9caff7eb309d
Variant of dcbe007ac5684793ea34bf27fdaa2952c4e84d12
Backdoor.Win32.Denis 43b85c5387aafb91aea599782622eb9d0b5b151f
Goopdate.dll 9afe0ac621c00829f960d06c16a3e556cd0de249
----------------- 973b1ca8661be6651114edf29b10b31db4e218f7
Goopy backdoor 1c503a44ed9a28aad1fa3227dc1e0556bbe79919
2e29e61620f2b5c2fd31c4eb812c84e57f20214a
c7b190119cec8c96b7e36b7c2cc90773cffd81fd
185b7db0fec0236dff53e45b9c2a446e627b4c6a
ef0f9aaf16ab65e4518296c77ee54e1178787e21
product_info.dll 3cf4b44c9470fb5bd0c16996c4b2a338502a7517
[Backdoor exploiting DLL-hijacking
against Kaspersky Avpia]
VbaProject.OTM 320e25629327e0e8946f3ea7c2a747ebd37fe26f
[Outlook Macro]
sunjavascheduler.ps1 0d3a33cb848499a9404d099f8238a6a0e0a4b471
sndVolSSO.ps1 c219a1ac5b4fd6d20a61bb5fdf68f65bbd40b453
91e9465532ef967c93b1ef04b7a906aa533a370e
SCVHost.ps1
fhsvcs.ps1
Goztp.ps1
dns.exe cd675977bf235eac49db60f6572be0d4051b9c07
msfte.dll 2f8e5f81a8ca94ec36380272e36a22e326aa40a4
FVEAPI.dll 01197697e554021af1ce7e980a5950a5fcf88318
sunjavascheduler.ps1 7657769f767cd021438fcce96a6befaf3bb2ba2d
syscheck.ps1 Ed074a1609616fdb56b40d3059ff4bebe729e436
dns.ps1 D667701804CA05BB536B80337A33D0714EA28129
activator.ps1 F45A41D30F9574C41FE0A27CB121A667295268B2
7F4C28639355B0B6244EADBC8943E373344B2E7E
nvidia.db
CV.doc [redacted]
Complaint letter.doc
License Agreement.doc
Loader scripts
syscheck.vbs 62749484f7a6b4142a2b5d54f589a950483dfcc9
SndVolSSO.txt cb3a982e15ae382c0f6bdacc0fcecf3a9d4a068d
dllhosts.exe 5a31342e8e33e2bbe17f182f2f2b508edb20933f
23c466c465ad09f0ebeca007121f73e5b630ecf6
14FDEF1F5469EB7B67EB9186AA0C30AFAF77A07C
KB571372.ps1 7CADFB90E36FA3100AF45AC6F37DC55828FC084A
KB647152.exe 7BA6BFEA546D0FC8469C09D8F84D30AB0F20A129
KB647164.exe BDCADEAE92C7C662D771507D78689D4B62D897F9
kb412345.exe e0aaa10bf812a17bb615637bf670c785bca34096
kb681234.exe 4bd060270da3b9666f5886cf4eeaef3164fad438
System.exe 33cb4e6e291d752b9dc3c85dfef63ce9cf0dbfbc
550f1d37d3dd09e023d552904cdfb342f2bf0d35
SRCHUI.dll 29BD1BAC25F753693DF2DDF70B83F0E183D9550D
adrclients.dll FC92EAC99460FA6F1A40D5A4ACD1B7C3C6647642
[HookPasswordChange]
KB471623.exe 6609A347932A11FA4C305817A78638E07F04B09F
[Custom password dumper]
doutlook.ps1 EBDD6059DA1ABD97E03D37BA001BAD4AA6BCBABD
adobe.dat B769FE81996CBF7666F916D741373C9C55C71F15
adrclients.ps1 E64C2ED72A146271CCEE9EE904360230B69A2C1D
[Custom password dumper]
Miscellaneous tools
pshdll35.dll 52852C5E478CC656D8C4E1917E356940768E7184
pshdll40.dll EDD5D8622E491DFA2AF50FE9191E788CC9B9AF89
[PSUnlock - PowerShell Bypass
tool]
KB-10233.exe C5e19c02a9a1362c67ea87c1e049ce9056425788
kb74891.exe 0908a7fbc74e32cded8877ac983373ab289608b3
[NetCat]
IP.exe 6aec53554f93c61f4e3977747328b8e2b1283af2
cmd.exe
dllhost.exe
[IP check Tool]
hxxp://support.chatconnecting(.)com:80/icon.ico c41972517f268e214d1d6c446ca75e795646c5f2
hxxp://food.letsmiles(.)org/login.txt 9f95b81372eaf722a705d1f94a2632aad5b5c180
hxxp://food.letsmiles(.)org/9niL 5B4459252A9E67D085C8B6AC47048B276C7A6700
hxxp://23.227.196(.)210:80/logscreen.jpg d8f31a78e1d158032f789290fa52ada6281c9a1f
50fec977ee3bfb6ba88e5dd009b81f0cae73955e
hxxp://45.114.117(.)137/eXYF D1E3D0DDE443E9D294A39013C0D7261A411FF1C4
91BD627C7B8A34AB334B5E929AF6F981FCEBF268
hxxp://images.verginnet(.)info:80/ppap.png F0A0FB4E005DD5982AF5CFD64D32C43DF79E1402
hxxp://176.107.176(.)6/QVPh 8FC9D1DADF5CEF6CFE6996E4DA9E4AD3132702C
hxxp://108.170.31(.)69/a 4a3f9e31dc6362ab9e632964caad984d1120a1a7
hxxp://support(.)chatconnecting(.)com/pic.png bb82f02026cf515eab2cc88faa7d18148f424f72
hxxp://blog.versign(.)info/access/?version=4&lid=[reda 9e3971a2df15f5d9eb21d5da5a197e763c035f7a
cted]&token=[redacted]
hxxp://23.227.196(.)210/6tz8 bb82f02026cf515eab2cc88faa7d18148f424f72
hxxp://23.227.196(.)210/QVPh 8fc9d1dadf5cef6cfe6996e4da9e4ad3132702c5
hxxp://45.114.117(.)137/3mkQ 91bd627c7b8a34ab334b5e929af6f981fcebf268
hxxp://176.223.111(.)116:80/download/sido.jpg 5934262D2258E4F23E2079DB953DBEBED8F07981
hxxp://110.10.179(.)65:80/ptF2 DA2B3FF680A25FFB0DD4F55615168516222DFC10
hxxp://110.10.179(.)65:80/download/microsoftp.jpg 23EF081AF79E92C1FBA8B5E622025B821981C145
hxxp://110.10.179(.)65:80/download/microsoft.jpg C845F3AF0A2B7E034CE43658276AF3B3E402EB7B
C&C IPs
45.114.117(.)137
104.24.119(.)185
104.24.118(.)185
23.227.196(.)210
23.227.196(.)126
184.95.51(.)179
176.107.177(.)216
192.121.176(.)148
103.41.177(.)33
184.95.51(.)181
23.227.199(.)121
108.170.31(.)69
104.27.167(.)79
104.27.166(.)79
176.107.176(.)6
184.95.51(.)190
176.223.111(.)116
110.10.179(.)65
27.102.70(.)211
C&C Domains
food.letsmiles(.)org
help.chatconnecting(.)com
*.letsmiles(.)org
support.chatconnecting(.)com
inbox.mailboxhus(.)com
blog.versign(.)info
news.blogtrands(.)net
stack.inveglob(.)net
tops.gamecousers(.)com
nsquery(.)net
tonholding(.)com
cloudwsus(.)net
nortonudt(.)net
teriava(.)com
tulationeva(.)com
blog(.)versign(.)info File name: Giấy yêu cầu bồi thường mới 2016 - Hằng.doc
SHA-1: Link
(23.227.196[.]210) a5bddb5b10d673cbfe9b16a062ac78c9aa75b61c
Submitted: 2016-10-06 11:03:54