Cobalt Strike Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/cobalt-strike/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 05:39:48 +0000 en-US hourly 1 https://wordpress.org/?v=81576 200474804 ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers https://gridinsoft.com/blogs/zuorat-trojan-hacks-routers/ https://gridinsoft.com/blogs/zuorat-trojan-hacks-routers/#comments Thu, 30 Jun 2022 16:53:15 +0000 https://gridinsoft.com/blogs/?p=9063 Lumen Black Lotus Labs has discovered a new Remote Access Trojan (RAT) called ZuoRAT, attacking remote workers’ routers in North America and Europe since 2020. The malware appeared in the first months of the COVID-19 pandemic but remained unnoticed for more than two years. The researchers write that the complexity of this targeted campaign, as… Continue reading ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers

The post ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers appeared first on Gridinsoft Blog.

]]>
Lumen Black Lotus Labs has discovered a new Remote Access Trojan (RAT) called ZuoRAT, attacking remote workers’ routers in North America and Europe since 2020. The malware appeared in the first months of the COVID-19 pandemic but remained unnoticed for more than two years.

The researchers write that the complexity of this targeted campaign, as well as the tactics and methods of “work” of the attackers, indicate that some government hackers are behind ZuoRAT.

Everything points to a complex entity that we assume has been living unnoticed at the edge of target networks for years.Lumen Black Lotus Labs experts say.

Recall that we also wrote that Trojan Qbot Took Advantage of the Famous Follina Vulnerability, and also that Trojan Source attack is dangerous for compilers of most programming languages.

As noted above, the start of this campaign coincided with the widespread shift to remote work following the beginning of the COVID-19 pandemic, which has dramatically increased the number of routers (including Asus, Cisco, DrayTek and NETGEAR devices) used by employees to access corporate networks remotely.

The sudden transition to remote work caused by the pandemic has allowed sophisticated attackers to take advantage of this opportunity to undermine the traditional defense in-depth position of many well-established organizations.says Lumen Black Lotus Labs.

Hackers gained initial access to routers by looking for known unpatched vulnerabilities, which were then used to download a remote access tool. Having gained access to the network, the attackers delivered to the victim the shellcode loader for the next stage of the attack, which had already been used to provide Cobalt Strike and custom backdoors, including CBeacon and GoBeacon, which were capable of executing arbitrary commands.

ZuoRAT trojan hacks routers

The researchers say that the malware of this hacking group is capable of conducting in-depth surveys of the target network, collecting traffic, intercepting network communications, and generally describe the malware as a heavily modified version of the well-known Mirai malware.

ZuoRAT is a MIPS file compiled for SOHO routers that is capable of intercepting packets transmitted through an infected device and performing man-in-the-middle attacks (DNS and HTTPS interception based on predefined rules).the experts write.

Also, the malware has an active function of collecting TCP connections through ports 21 and 8443, which are associated with FTP and web browsing, potentially allowing you to monitor the victim’s Internet activity behind a compromised router.

Other ZuoRAT features include features for monitoring DNS and HTTPS traffic. This is done to intercept requests and redirect victims to malicious domains using predefined rules that are generated and stored in temporary directories.

ZuoRAT also allowed hackers to move further along the victim’s network to compromise other devices and deploy additional payloads (such as Cobalt Strike beacons). During such attacks, the already mentioned CBeacon and GoBeacon Trojans were used.

At the same time, hackers took various steps to hide their actions. For example, behind the attacks was a complex, multi-layered C&C infrastructure that included using a virtual private server to propagate the initial RAT exploit, as well as the use of the compromised routers themselves as C&C proxies.

ZuoRAT trojan hacks routers

The researchers note that, like most router malware, ZuoRAT does not survive reboots. A simple restart of the infected device will remove the original ZuoRAT exploit stored in the temporary directory. However, to fully restore infected devices, experts advise performing a factory reset. It is also emphasized that devices connected to a hacked router may already be infected with other malware, and it will be impossible to cure them just as quickly.

The post ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zuorat-trojan-hacks-routers/feed/ 1 9063
Chinese Hackers Use Ransomware As a Cover for Espionage https://gridinsoft.com/blogs/chinese-hackers-and-espionage/ https://gridinsoft.com/blogs/chinese-hackers-and-espionage/#respond Mon, 27 Jun 2022 08:50:37 +0000 https://gridinsoft.com/blogs/?p=8941 Secureworks experts have found that Chinese hackers from two groups that specialize in espionage and theft of intellectual property from Japanese and Western companies use ransomware to hide their actions. Let me remind you that we also wrote that Chinese Hacker Group Revealed after a Decade of Undetected Espionage, and also that Chinese Hackers Attack… Continue reading Chinese Hackers Use Ransomware As a Cover for Espionage

The post Chinese Hackers Use Ransomware As a Cover for Espionage appeared first on Gridinsoft Blog.

]]>
Secureworks experts have found that Chinese hackers from two groups that specialize in espionage and theft of intellectual property from Japanese and Western companies use ransomware to hide their actions.

Let me remind you that we also wrote that Chinese Hacker Group Revealed after a Decade of Undetected Espionage, and also that Chinese Hackers Attack 0-day Follina Vulnerability.

Analysts write that the use of ransomware in spying campaigns allows hiding traces, complicate the attribution of attacks and distracts the attention of IT specialists of the victim company. In addition, in this way the theft of confidential information is disguised as financially motivated attacks.

Chinese hackers and espionage

A similar disguising method is practiced by Bronze Riverside (APT41) and Bronze Starlight (APT10). Both use the HUI loader to deploy remote access Trojans, PlugX, Cobalt Strike, and QuasarRAT.

Starting in March 2022, the Bronze Starlight group used Cobalt Strike to deploy ransomware (including LockFile, AtomSilo, Rook, Night Sky, and Pandora) on their victims’ networks, according to researchers. These attacks also used a new version of the HUI loader, which is able to intercept Windows API calls and disable Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).

Based on the order in which these ransomware families emerged from mid-2021, the attackers likely developed LockFile and AtomSilo first and then moved on to Rook, Night Sky and Pandora.experts say.

Studying the configuration of Cobalt Strike beacons in three different attacks using AtomSilo, Night Sky, and Pandora malware revealed a common control server address for them. It is also noted that this year the same source was used to upload samples of the HUI bootloader on Virus Total.

It is noted that in the studied cases, the activity of LockFile, AtomSilo, Rook, Night Sky and Pandora was unusual when compared with ordinary financially motivated ransomware attacks. So, the attacks were aimed at a small number of victims, lasted a short period of time, and then the hackers completely abandoned the project and moved on to the next one.

Chinese hackers and espionage

Secureworks writes that Pandora and the latest version of the HUI loader have code similarities. LockFile and AtomSilo also look similar, while Night Sky, Pandora, and Rook are based on the Babuk malware source code, but also have a lot in common.

Chinese hackers and espionage

Experts summarize that Bronze Starlight clearly has no difficulty creating short-lived ransomware variants that are only needed to disguise spying operations as ransomware attacks and complicate attribution. The fact is that the studied ransomware is based on publicly available or leaked source code, and Chinese hackers are known for willingly sharing tools and infrastructure with each other. That is, in such cases it is extremely difficult to track attribution, possible connections, and speak with confidence about any conclusions.

The post Chinese Hackers Use Ransomware As a Cover for Espionage appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-hackers-and-espionage/feed/ 0 8941
Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine https://gridinsoft.com/blogs/russian-hackers-use-follina/ https://gridinsoft.com/blogs/russian-hackers-use-follina/#respond Thu, 23 Jun 2022 10:02:07 +0000 https://gridinsoft.com/blogs/?p=8788 The Ukraine Computer Emergency Response Team (CERT-UA) said Russian hackers are exploiting the Follina vulnerability in new phishing campaigns to install CredoMap malware and Cobalt Strike beacons. According to experts, the APT28 hacker group (Strontium, Fancy Bear and Sofacy) sends out emails with a malicious document called “Nuclear Terrorism Is a Real Threat.rtf”. The hackers… Continue reading Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine

The post Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine appeared first on Gridinsoft Blog.

]]>
The Ukraine Computer Emergency Response Team (CERT-UA) said Russian hackers are exploiting the Follina vulnerability in new phishing campaigns to install CredoMap malware and Cobalt Strike beacons.

According to experts, the APT28 hacker group (Strontium, Fancy Bear and Sofacy) sends out emails with a malicious document called “Nuclear Terrorism Is a Real Threat.rtf”.

The hackers chose this topic to encourage the recipient to open the document, as fear of a potential nuclear attack is common among Ukrainians.

Let me remind you that we reported that Hacker groups split up: some of them support Russia, others Ukraine, and also that War in Ukraine triggered a Stream of amateurish ransomware.

The RTF document exploits the CVE-2022-30190 (Follina) vulnerability to download and run the CredoMap malware (docx.exe) on the victim’s device.

Russian hackers use Follina

According to a Malwarebytes report, the payload is an infostealer that steals credentials and cookies from Chrome, Edge, and Firefox browsers. The software then extracts the stolen data using the IMAP email protocol and sends everything to the C2 address, which is hosted on an abandoned site in Dubai.

CERT-UA also identified another attacker campaign called UAC-0098 using CVE-2022-30190.

CERT-UA reported that the threat actor used a DOCX file named “Penalty.docx” and the payload was received from the remote resource is a Cobalt Strike beacon (ked.dll) with the latest compilation date.

Russian hackers use Follina

The e-mails sent out allegedly come from the State Tax Service of Ukraine.

It was established in mutual coordination with the subject that the DOCX-document was hidden in the password-protected archive “Imposition of Penalty Sanctions.zip” (sheet subject: “Information about non-payment of tax”).CERT-UA specialists report.

Due to Russia’s invasion of Ukraine, many citizens have temporarily stopped paying taxes to the state, so the bait can be effective against many Ukrainians.

CERT-UA advised employees of organizations to remain vigilant about phishing emails as the number of spear phishing attacks remains high.

The post Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/russian-hackers-use-follina/feed/ 0 8788
A WSO2 Vulnerability is Fraught with Remote Code Execution https://gridinsoft.com/blogs/vso2-rce-vulnerability/ https://gridinsoft.com/blogs/vso2-rce-vulnerability/#respond Tue, 31 May 2022 22:04:00 +0000 https://gridinsoft.com/blogs/?p=8197 The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022. This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading. The scheme of the attack begins with web shell installation through *.jsp or *.war files… Continue reading A WSO2 Vulnerability is Fraught with Remote Code Execution

The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

]]>
The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022.

This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading.

The scheme of the attack begins with web shell installation through *.jsp or *.war files upload taking advantage of the CVE-2022-29464 vulnerability. As the web shell is installed, the attacker executes an arbitrary Java process with its help.

RELATED: Microsoft warns of growing number of attacks using web shells.

Attack scheme
Scheme of the attack. Image: Trend Micro

The results of the attack are the installation of a coin miner and Cobalt Strike beacon (backdoor.) The cryptocurrency miner is installed via the Java-process-launched wget command that installs the auto.sh file (the miner itself.) In the meantime, another part of the attack happens, also via the web shell. Java process calls a chmod command that modifies permissions to make it possible to run the process entitled “LBcgqCymZQhm” all through the same Java process. The process establishes an outbound connection to an IP address 179[.]60[.]150[.]29[.]4444, earlier tracked as a location involved in numerous Cobalt Strike attacks. Therefore, the LBcgqCymZQhm process is a Cobalt Strike backdoor beacon.

The most interesting thing is that the Cobalt Strike beacon, initially designed for Windows, turned out to be working on Linux during these attacks. That means the hackers have purposefully worked upon the backdoor’s compatibility with Linux.

The vulnerable software includes WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 -5.6.0, Identity Server as a Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above. The patch is already there, so all users of the mentioned programs are advised to patch the flaws in question ASAP.

The multiple WSO2 clients belong to many industries, vital ones included. For example, healthcare, financial sector, energy, education, communications, and government. Needless to say, should the hackers exploit the CVE-2022-29464 vulnerability against unpatched systems, the consequences of the attack could be drastic.

A WSO2 Vulnerability is Fraught with Remote Code Execution

The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vso2-rce-vulnerability/feed/ 0 8197
Fake Exploits Used to Deliver Cobalt Strike Beacons https://gridinsoft.com/blogs/cobalt-strike-beacons/ https://gridinsoft.com/blogs/cobalt-strike-beacons/#respond Wed, 25 May 2022 22:43:08 +0000 https://gridinsoft.com/blogs/?p=8080 Cyble experts have warned that cybercriminals are attacking IS researchers, distributing malware under the guise of exploits for Windows, which eventually installs Cobalt Strike beacons on the experts’ machines. Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons. Cyble analysts report that malware disguised as PoC exploits for a… Continue reading Fake Exploits Used to Deliver Cobalt Strike Beacons

The post Fake Exploits Used to Deliver Cobalt Strike Beacons appeared first on Gridinsoft Blog.

]]>
Cyble experts have warned that cybercriminals are attacking IS researchers, distributing malware under the guise of exploits for Windows, which eventually installs Cobalt Strike beacons on the experts’ machines.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

Cyble analysts report that malware disguised as PoC exploits for a pair of Windows vulnerabilities (CVE-2022-24500 and CVE-2022-26809) recently appeared on GitHub, which Microsoft patched as part of the April “update Tuesday”.

Upon investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500. Both the malicious samples were available on GitHub. Interestingly both repositories belong to the same profile, indicating the possibility that Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community.Cyble analysts reported.

Cobalt Strike beacons

Fake exploits were published in the repositories of the user rkxxz, which have now been deleted along with the account itself. As always happens after the publication of PoC exploits, the news quickly spread on Twitter and even attracted the attention of attackers on hacker forums.

Cobalt Strike beacons

You might also be curious to know what Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider.

And it soon became clear that the exploits were actually fake, and Cobalt Strike beacons were installed on people’s devices. Cyble analysts have taken a closer look at the fake PoCs and found that they are written in .NET and pretend to exploit the IP address, in fact infecting users with a backdoor.

Cobalt Strike beacons

The deobfuscated exploit sample showed that the fake PoC runs a PowerShell script that executes another gzip-compressed PowerShell script (VirusTotal) to inject the beacon into memory.

The researchers note that this is not the first case of targeted attacks on cybersecurity experts. The fact is that by attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim can work on), but can also gain access to the network of a cybersecurity company. And this can be a real gold mine for hackers.

Cobalt Strike is a legitimate commercial tool built for pentesters and red teams and focused on operations and post-operations. Unfortunately, it has long been loved by hackers ranging from government APT groups to ransomware operators.

Although the tool is not available to ordinary users, attackers still find ways to use it (for example, rely on old, pirated, hacked and unregistered versions).

The post Fake Exploits Used to Deliver Cobalt Strike Beacons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cobalt-strike-beacons/feed/ 0 8080
Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider https://gridinsoft.com/blogs/wizard-spider-group/ https://gridinsoft.com/blogs/wizard-spider-group/#respond Mon, 23 May 2022 06:50:59 +0000 https://gridinsoft.com/blogs/?p=7949 Information security specialists from PRODAFT have published the results of an investigation into the Wizard Spider group, which is allegedly associated with the Grim Spider and Lunar Spider hacker groups. The Wizard Spider group, possibly of Russian origin, manages an infrastructure of “a complex set of sub-commands and groups, controls a huge number of hacked… Continue reading Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider

The post Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider appeared first on Gridinsoft Blog.

]]>
Information security specialists from PRODAFT have published the results of an investigation into the Wizard Spider group, which is allegedly associated with the Grim Spider and Lunar Spider hacker groups.

The Wizard Spider group, possibly of Russian origin, manages an infrastructure of “a complex set of sub-commands and groups, controls a huge number of hacked devices, and uses a highly developed workflow to ensure security and a high pace of work.

Let me remind you that we also reported that Leaked Conti ransomware source codes were used to attack Russian authorities, and also that State Department Offers $1 million for Info on Russian Hackers.

Now various cybercriminal campaigns often use a business model that includes hiring the best specialists and creating a financial basis for depositing, transferring and laundering proceeds to make a profit or work in the interests of the state. Wizard Spider, according to this model, invests part of the profits in development by investing in tools, software and hiring new specialists. According to the report, the group owns “hundreds of millions of dollars in assets.

The group’s incredible profitability allows its leaders to invest in illegal research and development. Wizard Spider is fully capable of hiring talented professionals, creating new digital infrastructure and gaining access to advanced exploits.the researchers said.

Wizard Spider focuses on compromising corporate networks and “has a significant presence in nearly every developed country in the world, as well as many emerging economies.” The group’s victims include defense firms, corporate firms, equipment suppliers, hospitals and infrastructure companies.

Wizard Spider attacks start with spam and phishing using QBot and SystemBC proxy. The group can also infiltrate the business through compromised email between employees in BEC (Business Email Compromise, BEC) schemes.

After gaining access to the system, the group can deploy Cobalt Strike and attempt to gain domain administrator rights. Once the Conti malware is deployed and the computers and hypervisor servers are encrypted, the hacker can demand a ransom from the victim. Compromised devices are managed through the control panel.

Wizard Spider Group

Wizard Spider uses VPNs and proxy servers to hide its tracks. The group has invested in VoIP systems and employees who call victims and intimidate them into paying a ransom.

The Sekhmet, Maze, and Ryuk groups have used such scare tactics in the past. Coveware suspects that such “call center” work could be outsourced to cybercriminals, as the templates and scripts used are often the same.

Another notable tool is the Wizard Spider hack station. A special set stores cracked hashes and launches attackers to pick up domain credentials and other forms of hashes.

The station also informs the team on the status of the hack. There are currently 32 active station users. Also, several servers were found containing a cache with tactics, methods, exploits, information about crypto wallets and encrypted ZIP files with notes of attacking groups.

The Wizard Spider team has shown they can monetize many aspects of their business. The group is responsible for a huge amount of spam on hundreds of millions of devices, as well as data leaks and ransomware attacks on important objects.added PRODAFT specialists.

The post Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wizard-spider-group/feed/ 0 7949
Emotet now installs Cobalt Strike beacons https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/ https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/#respond Thu, 09 Dec 2021 19:44:50 +0000 https://gridinsoft.com/blogs/?p=6637 The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks. Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already… Continue reading Emotet now installs Cobalt Strike beacons

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

Some of the infected computers were instructed to install Cobalt Strike, a popular post-exploitation tool. Emotet itself collects a limited amount of information about the infected machine, but Cobalt Strike can be used to evaluate a broader network or domain assessment, looking for suitable victims for further infection, such as ransomware.experts say.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

It is very serious. Usually, Emotet will reset the TrickBot or QakBot, which in turn will reset the CobaltStrike. In a normal situation, you have about a month between the first infection and the extortion. With Emotet dropping CS directly, this delay is likely to be much shorter.security specialist Markus Hutchins warns on Twitter.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

We do not yet know if the Emotet operators intend to collect the data for their own use, or if it is part of a chain of attacks belonging to one of the other families of malware. Given the quick removal, it could have been a test, or even an accident.the experts summarize, promising to continue monitoring further.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/emotet-now-installs-cobalt-strike-beacons/feed/ 0 6637