I wrote a blog about Cobalt Strike beacon monitoring, Windows tokens and Kerberos persistence. Check it out sokarepo.github.io/redteam/2024/0…

2024-04-18 (Thursday): #SSLoad infection leads to #CobaltStrike DLL. In this case we saw no follow-up Cobalt Strike C2 traffic. List of indicators available at bit.ly/3Q9SORR

#TimelyThreatIntel #Unit42ThreatIntel #Wireshark #InfectionAnalysis

Unit 42 A #pcap of the #SSLoad infection traffic leading to the #CobaltStrike DLL along with the associated malware/artifacts are available at malware-traffic-analysis.net/2024/04/18/ind…

#ln -s :malware_traffic: Unit 42 A #pcap of the #SSLoad infection traffic leading to the #CobaltStrike DLL along with the associated malware/artifacts are available at malware-traffic-analysis.net/2024/04/18/ind…

#RCE attempt targeting #Drupal #CVE -2018-7600

Spread.exe is a #coinminer that also connects to 116.213.40.102:9999 🇭🇰
Same IP was a #cobaltstrike server back on 2023-12-31

2024-04-17 15:17:52 UTC
Source IP: 206.238.221.2 🇸🇬
POST /user/register?element_parents=account/mail/

Cobalt Strike Server Found
C2: HTTP @ 173[.]44[.]141[.]234:80
C2 Server: 173[.]44[.]141[.]234,/jquery-3[.]3[.]1[.]min[.]js
Country: United States (AS62904)
ASN: AS62904
#C2 #cobaltstrike

#RaspberryRobin 🍓🐦 is putting organizations at risk by acting as a precursor to other malware families, including #SocGholish , #IcedID and #CobaltStrike

And what’s worse, a new campaign is slipping through unnoticed: ow.ly/4OL150RcvXl

GitHub - Apr4h/CobaltStrikeScan: Scan files or process memory for CobaltStrike beacons and parse their configuration github.com/Apr4h/CobaltSt…

Cobalt Strike Server Found
C2: HTTPS @ 109[.]120[.]178[.]253:443
C2 Server: 109[.]120[.]178[.]253,/__utm[.]gif
Country: France (AS210644)
ASN: AEZA-AS
#C2 #cobaltstrike

#ln -s :malware_traffic: RT Unit 42: 2024-04-18 (Thursday): #SSLoad infection leads to #CobaltStrike DLL. In this case we saw no follow-up Cobalt Strike C2 tr…

#TTP

💥[T1204] Rust Loader execution
🧩[T1027] Encode info (XOR)
🪢[T1140] Decode info
🔃[T1620] Load SC in memory
🛠️[S0154] CobaltStrike usage
🔍[T1021] SMB CobaltStrike
📡[T1071] Beacon #C2 communication

Cobalt Strike Server Found
C2: HTTP @ 106[.]54[.]236[.]42:8443
C2 Server: 172[.]247[.]189[.]234,/Claim/v5[.]6/ZZ1QB9MLS
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 175[.]178[.]160[.]155:4443
C2 Server: 175[.]178[.]160[.]155,/Complete/pr/H6TCQRWR
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 185[.]196[.]9[.]234:443
C2 Server: 1488[.]winstate[.]cc,/fwlink
Country: Italy (AS42624)
ASN: SIMPLECARRIER
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 43[.]134[.]233[.]227:443
C2 Server: kh1[.]userjoy[.]com,/ca
Country: Singapore (AS132203)
ASN: TENCENT-NET-AP-CN Te...
Host Header: cloud[.]tencent-cs[.]com
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTP @ 43[.]143[.]168[.]206:81
C2 Server: 43[.]143[.]168[.]206,/jquerys-6[.]3[.]5[.]max[.]js
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 111[.]230[.]25[.]167:443
C2 Server: service-lj3klqg6-1308639534[.]gz[.]tencentapigw[.]com[.]cn,/api/getit
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 124[.]222[.]173[.]133:443
C2 Server: 124[.]222[.]173[.]133,/jquery-3[.]3[.]1[.]min[.]js
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
Host Header: codasdase[.]jquery[.]com
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 43[.]143[.]168[.]206:443
C2 Server: service-e1idmqlj-1259321672[.]bj[.]tencentapigw[.]com[.]cn,/api/x
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike

Cobalt Strike Server Found
C2: HTTPS @ 175[.]178[.]160[.]155:443
C2 Server: jxvtcm[.]cn,/Complete/pr/H6TCQRWR
Country: China (AS45090)
ASN: TENCENT-NET-AP Shenz...
#C2 #cobaltstrike