When they come with Cobalt Strike, just know it is serious!

A few weeks back we put out a tweet indicating there were an ongoing campaign targeting organisations’ networks in #Nigeria. This blog post will be expanding on our findings and what we have understood to be the goal of this campaign from activities observed so far.
The campaign was found to be focused on open targets that presented themselves (opportunistic hacking) and activities observed so far have been more targeted toward government organizations, telecommunication, and finance.
Incident Description
Following this campaign, the initial point of entry leverage misconfigurations in internet-facing assets which could be applications, web servers and mail services. In one of the referenced cases, the attacker leveraged a misconfigured server on the target network which was found to be the beachhead as captured below in the security platform.

Drilling down on this compromise server we found a hidden account where the attacker dropped some other malicious file that was captured during the investigation. These files were identified to be used for internal recon of the environment; scanning network blocks for resources that may be of interest to the attacker; SMB shares, web services, workgroups, open ports and services and possible credential dumping (one of them is a plugin for Cobalt Strike). The result of this internal recon was found in some text files on the server eventually.

Leveraging some of the information captured on the beachhead and the alerts from the SIEM platform, we were able to understand more systems were already talking with the C2 server on port 80 following the IoCs which is an indication that the possibility of credential dumping, internal enumeration, lateral movement and possible infiltration and exfiltration might have taken place during this period.


With the Cobalt Strike C2 infrastructure in place, the attacker was using this to laterally move around the network and of which the stager was found another server and the Endpoint Detection and Response agent block the connection initiated by continuous removal of the stager.

In one of the servers, we found some other series of internal recon tools that are connecting to the redirect IP of the C2 infrastructure as shown below. These files reside in the Public Downloads in the Public User folder, and the log.ini is found to contain the configuration file through which it is used to communicate to the C2.



log.exe found to be running on one of the compromised servers was observed to have generated the following events on the SIEM platform, an internal recon in search of devices with port SSH (22) services running within the internal network. Other searches targeting other standard ports were also found and captured.

Legitimate processes like rundll32.exe, lsass.exe, powershell.exe were seen to have taken over by the malicious Cobalt Strike stager communicating with the redirect IP of the C2 server 116.204[.]211.148

Conclusion.
From the above investigation, it is obvious the attacker pushing this campaign really means business considering the type of tools that were captured during the incident response engagement. Such attackers willing to leverage a C2 infrastructure hosting Cobalt Strike, with some other interesting tools as captured above will be willing to go to any length to meet their financial objectives which can come in two ways; either credential stealing, data exfil which will later be put up for sale in the dark web probably to a competitor or some ransomware operators who will come back to deploy their ransomware on the already existing compromised network. This time around the double extorting scheme might be useful for the attacker.
Organizations are advised to embark on patch management, system hardening for legacy systems that cannot be patched, close unused ports and services, and use secure ports on other internet-facing assets that are regularly open for public access. They can also adopt the service of CyberPlural MSSP which will provide a combination of advanced cyber technology that can protect their users, endpoint and networks through a 24/7 proactive monitoring and incident response capability.
IOC.
Contained below is the list of Indicator of Compromise (IoCs) observed on the compromised server investigated. Hashes and possible file locations for all dropped files by the attackers. This information might change from operator to operator but the campaign approach remains the same.
116.204[.]211.180
116.204[.]211.148
123.184[.]108.93
gorailgun-1.3.8.zip
Ladon7.5_20201103.zip
gorailgun-1.3.8.exe
LadonGUI40.exe
fscan64.exe
log.exe
log.ini
AdFind.exe
\\127.0.0.1\ADMIN$\5f2a2b3.exe
C:\Users\admin$\Desktop
C:\Users\Public\Downloads
%windir%\sysnative\rundll32.exe
/c/msdownload/update/others/2016/12/29136388_
download.windowsupdate.com.cab
server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64
SHA256 | IoC |
aa305ad62d70cec54fdafa685ec8ab9d67bc486891c848fe0e9b2ffdc745b802 | gorailgun-1.3.8.zip |
7953c193e332830909d86ab35d50793cb157f03cc0e43bbc28afb09b00dbd48e | Ladon7.5_20201103.zip |
c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 | AdFind.exe |
d26437cc6ff9d094d42947d214c80a313e064ca403e9dd33a8110d7e859dd10e | fscan64.exe |
60c2f395a7af8433b6a71601168ed96dad412375db9622d7b50344a6f3d297c1 | log.exe |
b81d6956938efae1c077869b084a834a54982db36e845b524a5a0896aa2c3c94 | gorailgun-1.3.8.exe |
b6a17063e36522ea5e0778110e6de92f3f50af63818ffee6e4652d4403d3b714 | LadonGUI40.exe |
Leave a Reply