When they come with Cobalt Strike, just know it is serious!

cyberplural

A few weeks back we put out a tweet indicating there were an ongoing campaign targeting organisations’ networks in #Nigeria. This blog post will be expanding on our findings and what we have understood to be the goal of this campaign from activities observed so far.

The campaign was found to be focused on open targets that presented themselves (opportunistic hacking) and activities observed so far have been more targeted toward government organizations, telecommunication, and finance.

Incident Description

Following this campaign, the initial point of entry leverage misconfigurations in internet-facing assets which could be applications, web servers and mail services. In one of the referenced cases, the attacker leveraged a misconfigured server on the target network which was found to be the beachhead as captured below in the security platform.

Registration of security events from Beachhead

Drilling down on this compromise server we found a hidden account where the attacker dropped some other malicious file that was captured during the investigation. These files were identified to be used for internal recon of the environment; scanning network blocks for resources that may be of interest to the attacker; SMB shares, web services, workgroups, open ports and services and possible credential dumping (one of them is a plugin for Cobalt Strike).  The result of this internal recon was found in some text files on the server eventually.

Dropped files in C:\Users\admin$\Desktop & Account creation.

Leveraging some of the information captured on the beachhead and the alerts from the SIEM platform, we were able to understand more systems were already talking with the C2 server on port 80 following the IoCs which is an indication that the possibility of credential dumping, internal enumeration, lateral movement and possible infiltration and exfiltration might have taken place during this period.

Communications with C2 Server

With the Cobalt Strike C2 infrastructure in place, the attacker was using this to laterally move around the network and of which the stager was found another server and the Endpoint Detection and Response agent block the connection initiated by continuous removal of the stager.

Detection and Removal of the Cobalt Strike Stager

In one of the servers, we found some other series of internal recon tools that are connecting to the redirect IP of the C2 infrastructure as shown below. These files reside in the Public Downloads in the Public User folder, and the log.ini is found to contain the configuration file through which it is used to communicate to the C2.

log.exe in action
Dropped file in C:\Users\Public\Downloads
log.exe configuration file in log.ini

log.exe found to be running on one of the compromised servers was observed to have generated the following events on the SIEM platform, an internal recon in search of devices with port SSH (22) services running within the internal network. Other searches targeting other standard ports were also found and captured.

Internal reconnaissance was observed from the compromise server using log.exe

Legitimate processes like rundll32.exe, lsass.exe, powershell.exe were seen to have taken over by the malicious Cobalt Strike stager communicating with the redirect IP of the C2 server 116.204[.]211.148

Legitimate processes communicating with the C2

Conclusion.

From the above investigation, it is obvious the attacker pushing this campaign really means business considering the type of tools that were captured during the incident response engagement. Such attackers willing to leverage a C2 infrastructure hosting Cobalt Strike, with some other interesting tools as captured above will be willing to go to any length to meet their financial objectives which can come in two ways; either credential stealing, data exfil which will later be put up for sale in the dark web probably to a competitor or some ransomware operators who will come back to deploy their ransomware on the already existing compromised network. This time around the double extorting scheme might be useful for the attacker.

Organizations are advised to embark on patch management, system hardening for legacy systems that cannot be patched, close unused ports and services, and use secure ports on other internet-facing assets that are regularly open for public access. They can also adopt the service of CyberPlural MSSP which will provide a combination of advanced cyber technology that can protect their users, endpoint and networks through a 24/7 proactive monitoring and incident response capability.

IOC.

Contained below is the list of Indicator of Compromise (IoCs) observed on the compromised server investigated. Hashes and possible file locations for all dropped files by the attackers. This information might change from operator to operator but the campaign approach remains the same.

116.204[.]211.180

116.204[.]211.148

123.184[.]108.93

gorailgun-1.3.8.zip

Ladon7.5_20201103.zip

gorailgun-1.3.8.exe

LadonGUI40.exe

fscan64.exe

log.exe

log.ini

AdFind.exe

\\127.0.0.1\ADMIN$\5f2a2b3.exe

C:\Users\admin$\Desktop

C:\Users\Public\Downloads

%windir%\sysnative\rundll32.exe

/c/msdownload/update/others/2016/12/29136388_

download.windowsupdate.com.cab

server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64

SHA256IoC
aa305ad62d70cec54fdafa685ec8ab9d67bc486891c848fe0e9b2ffdc745b802 gorailgun-1.3.8.zip
7953c193e332830909d86ab35d50793cb157f03cc0e43bbc28afb09b00dbd48e Ladon7.5_20201103.zip
c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 AdFind.exe
d26437cc6ff9d094d42947d214c80a313e064ca403e9dd33a8110d7e859dd10e fscan64.exe
60c2f395a7af8433b6a71601168ed96dad412375db9622d7b50344a6f3d297c1 log.exe
b81d6956938efae1c077869b084a834a54982db36e845b524a5a0896aa2c3c94 gorailgun-1.3.8.exe
b6a17063e36522ea5e0778110e6de92f3f50af63818ffee6e4652d4403d3b714 LadonGUI40.exe

Leave a Reply

Your email address will not be published.

Scroll to Top