![]() The ongoing cyber-attack involves the mass distribution of emails with a lure subject and an XLS file attachment containing a malicious macro that leads to spreading Cobalt Strike Beacon malware infection on a compromised system. On July 6, 2022, CERT-UA released an alert warning of a new malicious email campaign targeting Ukrainian government entities. The notorious Cobalt Strike Beacon malware has been actively distributed by multiple hacking collectives in spring 2022 as part of the ongoing cyber war against Ukraine, mainly leveraged in targeted phishing attacks on Ukrainian state bodies. Detecting UAC-0056 Activity: Sigma Rules to Spot New Attacks Against Ukrainian Government.Cobalt Strike Beacon Distribution: CERT-UA Details the Latest UAC-0056 Attack Against Ukraine.These include changing the working directory, uploading a file to a C2server, and the ability to append and write to file among others. Vermilion Strike is able to perform numerous tasks after being deployed on a Linux system that has been compromised. This new variant featuring Linux malware also includes technical overlaps with Windows DLL files, offering the same abilities as command-and-control servers, suggesting that the same hacker may be responsible. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia.” “The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands, and writing to files. While Vermilion Strike uses no part of Cobalt Strike’s code, it comes with an identical configuration format to the authentic Windows beacon and is able to communicate with any Cobalt Strike server. They explained that the Cobalt Strike ELF binary (also known as VirusTotal) discovered was entirely undetectable by today’s anti-malware solutions. Intezer’s research team first identified the beacon activity last month, entitling it Vermilion Strike. Utilising these beacons, malicious operators can now obtain persistent access and remote command execution on not just Windows machines but those running Linux as well. However, a new report issued by security researchers at Intezer has explained how threat operators have managed to create Linux beacons that are fully compatible with the penetration tester. While Cobalt Strike has proved a useful tool for a wide range of cybercriminals, it has long had one weakness – previously, it had only ever supported devices using Windows operating systems and had not included Linux beacons. The limitations of Cobalt Strike as a hacker tool Over the years, copies of Cobalt Strike that have been cracked by hackers have been acquired and shared among other threat actors, making it now among the more common weapons used in modern cyberattacks that lead to stolen data and ransomware infections. Utilising beacons, ransomware gangs can later enjoy access to breached servers, allowing them to exfiltrate data or deploy more malware payloads onto systems. However, Cobalt Strike has also been witnessed being used by cybercriminals such as ransomware operators who have corrupted its original purpose, before employing it to execute post-exploitation actions.Īfter Cobalt Strike beacons have been deployed, threat actors are empowered with continuing remote access to company devices that have been compromised. Known as “Red Teams”, these groups probe their company’s infrastructure and defences seeking out potential vulnerabilities, back doors, and other gaps in security. Corruption of a useful cybersecurity toolĪ legitimate tool designed for penetration testing, Cobalt Strike is used as a framework by cybersecurity experts acting as attackers. The threat operator is behind the development remains unknown, but experts have confirmed that the version of Cobalt Strike has been custom-built from the ground up. An unofficial hacker-built Linux version of a Cobalt Strike beacon has been identified by cybersecurity researchers being actively deployed in attacks aimed at international organisations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |