Levels of Deception in a Cobalt Strike Phishing Intrusion

Category: Threat Actor Activity | Industry: Global | Source: Kostas

An intrusion identified in late June 2023 by security researcher Kostas reports the distribution of a Cobalt Strike beacon through a phishing email luring victims under the guise of an opinion survey. The attackers attempted to disguise the malicious beacon as a PDF document, utilizing a fake ".pdf" extension in the filename to match the phishing email's subject. Following the initial infection, Kostas reports there "was a delay of around five hours between the time of the initial infection and the hands-on activity. After deciding to interact with the host, they added another Cobalt Strike Beacon under the "C:\Users\Public "folder that had similar characteristics to the original payload."

The threat actors used Cobalt Strike Beacons for execution, particularly Python-compiled binaries, with shared libraries and resources extracted to a temporary location for execution. The initial Cobalt Strike executable was identified to be disguised with metadata resembling that of a legitimate Google Chrome binary. Their beacon was configured to spawn to the 'rundll32' process with a notable detection opportunity. Kostas recommends monitoring for "rundll32.exe processes spawning without any command line arguments."

During the intrusion, the attackers staged files and established persistence using a scheduled task. They also attempted to deceive users by altering file extensions, deleting files, and hiding malicious files using 'attrib,' with the aim of evading detection and hindering analysis efforts. Kostas also observed that the threat actors carried out reconnaissance, querying running services and exploring the system directory, possibly using Cobalt Strike's VNC capability. Ultimately, the attackers exfiltrated files of interest via the Cobalt Strike Beacon, utilizing HTTP communication to their command and control (C2) infrastructure.