-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-10-03-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt
140 lines (109 loc) · 5.02 KB
/
2023-10-03-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
2023-10-03 (TUESDAY): PIKABOT INFECTION WITH COBALT STRIKE
REFERENCES:
- https://www.linkedin.com/posts/unit42_pikabot-cobaltstrike-timelythreatintel-activity-7115093198233894912-ZhRp
- https://twitter.com/Unit42_Intel/status/1709327580380197038
ORIGINAL REFERENCES:
- https://twitter.com/Cryptolaemus1/status/1709238615904018605
- https://infosec.exchange/@[email protected]/111171942237441322
- https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_03.10.2023.txt
NOTES:
- During the infection run, the URL failed to retrieve the Pikabot installer DLL.
- Ran a copy of the associated Pikabot installer DLL from Malware Bazaar (see link below).
- Forensic analysis did not reveal any Cobalt Strike binary saved to disk.
- Thanks to @pr0xylife and the @Cryptolaemus1 crew for quickly sharing information so we could do an infection run!
INFECTION CHAIN:
- email --> URL from message text --> password-protected zip --> extracted Windows shortcut (.lnk) -->
URL generated by cURL comand --> retrieves and runs Pikabot installer DLL --> Pikabot C2 --> Cobalt Strike activity
ASSOCIATED MALWARE:
- SHA256 hash: 02e2f8dd9d940865098ca5baf4705d542572180177a67c33ad658133f63fb0f8
- file size: 1,498 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=store
- File name: YU.zip
- File description: password-protected zip archive
- Password: 678
- Sample available at: https://bazaar.abuse.ch/sample/02e2f8dd9d940865098ca5baf4705d542572180177a67c33ad658133f63fb0f8/
- SHA256 hash: d57082ddb6cffaa1b6ad658bba6d79f958a7ea8afbd1f4e1ddfdddb4a7145961
- file size: 1,953 bytes
- File type: MS Windows shortcut
- File name: TZZ.pdf.lnk
- File description: extracted from the above zip archive, this shortcut is designed to retrieve & run Pikabot installer DLL
- SHA256 hash: aebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507
- file size: 1,885,960 bytes
- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- File location: C:\Users\[username]\AppData\Local]\Temp\UL.log
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\podogyniu\Birdman.dll
- File description: Pikabot installer DLL
- Run method: rundll32.exe [filename] , HUF_inc_var
- Sample available at: https://bazaar.abuse.ch/sample/aebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507/
PERSISTENCE:
- Scheduled task calls base64-encoded text/script from newly-created registry entry at HKCU\Sofware\Microsoft\podogyniu\Birdman
TRAFFIC TO RETRIEVE THE PIKABOT INSTALLER DLL:
- hxxp://207.246.78[.]68/6kQh/T7t
PIKABOT TRAFFIC:
- 167.86.81[.]87 port 2222 - attempted TCP connections
- hxxps://167.86.96[.]3:2222/Advena/[additional info]
- hxxps://79.141.175[.]96:2078/Advena/[additional info]
- hxxps://38.242.240[.]28:1194/Advena/[additional info]
- hxxps://209.126.9[.]47:2078/Advena/[additional info]
COBALT STRIKE TRAFFIC:
- 179.60.149[.]244 port 443 - HTTPS traffic
- 179.60.149[.]244 port 443 - zzerxc[.]com - HTTPS traffic
CERTIFICATES FOR HTTPS TRAFFIC:
SELF-SIGNED CERTIFICATE FOR PIKABOT SERVER AT 167.86.96[.]3:2222:
- Issuer:
-- id-at-countryName=MC
-- id-at-stateOrProvinceName=AN
-- id-at-organizationName=Unfingured Incept
-- id-at-organizationalUnitName=Admirable
-- id-at-localityName=Scapel Redfoot
-- id-at-commonName=aeroplaner.it
- Validity:
-- notBefore: 2023-10-02 19:09:10 (UTC)
-- notAfter: 2023-10-01 19:09:10 (UTC)
- Subject: [same data as Issuer fields]
SELF-SIGNED CERTIFICATE FOR PIKABOT SERVER AT 79.141.175[.]96:2078:
- Issuer:
-- id-at-countryName=LU
-- id-at-stateOrProvinceName=NO
-- id-at-organizationName=Scuncheon Forrard
-- id-at-organizationalUnitName=Sensifacient Trachyphonia
-- id-at-localityName=Unshuddering Monographist
-- id-at-commonName=bambusa.vote
- Validity:
-- notBefore: 2023-10-02 20:14:34 (UTC)
-- notAfter: 2023-10-01 20:14:34 (UTC)
- Subject: [same data as Issuer fields]
SELF-SIGNED CERTIFICATE FOR PIKABOT SERVER AT 38.242.240[.]28:1194:
- Issuer:
-- id-at-countryName=SI
-- id-at-stateOrProvinceName=AR
-- id-at-organizationName=Uplink
-- id-at-organizationalUnitName=Chalcis Sprauchling
-- id-at-localityName=Benthoscope Dialogued
-- id-at-commonName=stylelessness.stream
- Validity:
-- notBefore: 2023-10-02 19:03:47 (UTC)
-- notAfter: 2023-10-01 19:03:47 (UTC)
- Subject: [same data as Issuer fields]
SELF-SIGNED CERTIFICATE FOR PIKABOT SERVER AT 209.126.9[.]47:2078:
- Issuer:
-- id-at-countryName=SX
-- id-at-stateOrProvinceName=UN
-- id-at-organizationName=Reinjure Inc.
-- id-at-organizationalUnitName=Wurtzitic Hydrophilite
-- id-at-localityName=Faller
-- id-at-commonName=zoographermolligrubs.paris
- Validity:
-- notBefore: 2023-10-02 20:14:39 (UTC)
-- notAfter: 2023-10-01 20:14:39 (UTC)
- Subject: [same data as Issuer fields]
CERTIFICATE FOR COBALT STRIKE SERVER AT 179.60.149[.]244:443:
- Issuer:
-- id-at-countryName=US
-- id-at-organizationName=Let's Encrypt
-- id-at-commonName=R3
- Validity:
-- notBefore: 2023-09-24 09:10:46 (UTC)
-- notAfter: 2023-12-23 09:10:45 (UTC)
- Subject:
-- id-at-commonName=zzerxc.com