Fake PoC Used to Drop Cobalt Strike

Security researchers were targeted and infected with the Cobalt Strike backdoor by an adversary using a fake Windows PoC exploit.

Here the threat actor has taken the advantage of two Windows remote code execution security flaws that were recently patched, and here they are:-

  • CVE-2022-24500
  • CVE-2022-26809

Security researchers usually use proof-of-concept exploits as a method of testing their own defense systems and compel administrators to implement security updates immediately.

In spite of this, attackers frequently use these exploits to carry out attacks and sometimes to spread from one network to another.

Technical Details

This malware comes in the form of a .Net binary integrated with a .NET application protection program known as ConfuserEX. 

No exploit code is available within the malware that targets the vulnerabilities mentioned above. An executable shellcode is executed instead, however, a fake message is printed showing that an exploit is being attempted.

To make the malware appear more credible, the Sleep() function in the malware prints messages after a small interval, after which the messages are reprinted.

To deliver the actual payload, the malware first prints the fake message and then executes the PowerShell command using “cmd.exe” to deliver the hidden command as part of the disguised message. 

In order to download the Cobalt-Strike Beacon content, the network communicates to a command-and-control server over the Internet.

In addition to lateral movement, the Cobalt-Strike Beacon can also be used to download additional payloads and carry out other malicious activities. 

There is some evidence to suggest that the infosec community is also the target of active attacks and therefore should be taken into account.

Recommendation

A variety of attacks are being carried out by threat actors using various methods. That’s why the cybersecurity experts have strongly recommended a few mitigations and here they are mentioned below:-

  • Do not download files from a website that you are unfamiliar with.
  • If you have a PC, laptop, or mobile device with a network connection, make sure to use a good anti-virus and internet security package. 
  • If you are unsure regarding the authenticity of an email or link attached to the email, do not open it without first verifying that it is authentic.  
  • Employees should be educated in terms of how they can defend themselves from this threat of phishing scams/untrusted URLs. 
  • Make sure the beacon is monitored on the network level. This will enable you to stop the exfiltration of data by malware or Trojan.
  • Ensure that the Data Loss Prevention (DLP) Solution is implemented on the employee’s systems.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.