In-Depth Analysis of a Sophisticated Malware Campaign Leveraging Cobalt Strike and Credential Dumping

Alex Morgan — Threat Intelligence Analyst

Key Takeaways

• The actor employed a multi-stage payload utilizing Cobalt Strike for initial access and lateral movement.
• Credential dumping was executed using Mimikatz, facilitating extensive access across the enterprise environment.
• Indicators of Compromise (IoCs) include specific IP addresses, hashes of the payload executables, and malicious file paths.

Executive Summary

During our investigation into a recent breach affecting a finance sector client, we observed a well-coordinated attack that leveraged advanced techniques typical of a sophisticated threat actor. The attack began with initial access achieved via a phishing campaign, followed by the deployment of a multi-stage malware payload. Our analysis revealed the use of Cobalt Strike as a primary tool for both command and control as well as lateral movement within the environment.

Initial Access

The attack vector was identified as a phishing email designed to lure users into downloading a malicious attachment. This attachment, disguised as an invoice PDF file, executed a PowerShell script upon opening. The script downloaded an initial payload from a remote server. The initial executable, which we designated as the dropper, was located at C:\Users\Public\Documents\Invoice.pdf.exe. Upon execution, it established a connection to the actor’s command and control (C2) infrastructure.

Execution & Persistence

Once the initial payload was executed, it downloaded additional components to enhance the attacker’s foothold. This included the Cobalt Strike beacon, which was configured for persistence by modifying the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key. The entry for the beacon was crafted for automatic execution at user login, allowing the actor to maintain access even after system reboots. The presence of Task Scheduler artifacts was also noted, which could indicate the actor’s attempts at ensuring persistence through multiple means.

Command and Control

The beacon initiated communication with command and control servers using HTTP over port 80, with traffic being carefully crafted to blend in with normal user behavior. We observed domain fronting techniques, suggesting the actor sought to obscure C2 URLs behind seemingly innocuous domains. The beaconing occurred at regular intervals, typically every 60 seconds, which aligns with known operational patterns for Cobalt Strike tools. The observed IPs, notably 192.0.2.1 and 198.51.100.2, were added to our threat intelligence database as potential C2 infrastructure.

Lateral Movement & Discovery

After establishing a foothold, lateral movement was enabled through credential dumping techniques using Mimikatz. The actor executed the tool in the context of a domain user account, allowing access to the security accounts manager (SAM) database. This maneuver allowed the actor to extract both hashed and clear-text credentials from memory. We identified suspicious processes executing mimikatz.exe from the path C:\Windows\System32\mimikatz.exe. Utilizing the stolen credentials, the actor accessed multiple internal systems, extending their influence within the network.

Impact & Objectives

The primary goal of the attack appeared to be data exfiltration, specifically targeting sensitive financial information. We tracked several instances of data transfer using FTP protocols to external servers controlled by the threat actor. One significant instance involved the transfer of employee W-2 forms, which could be exploited for tax fraud. Additionally, the actor attempted to deploy ransomware as a secondary payload, indicative of their intent to either extort the company or create further chaos within the environment.

MITRE ATT&CK Mapping

• T1071.001 – Application Layer Protocol: Web Protocols: Utilized HTTP for command and control communications.
• T1110.001 – Brute Force: Credential Dumping: Credentials were dumped utilizing Mimikatz.
• T1543.003 – Create or Modify System Process: Windows Service: Persistence maintained via Windows registry modifications.

Detection Opportunities

• Monitor for unusual command-line arguments associated with PowerShell execution that do not align with normal user behavior.
• Set up alerts for changes to sensitive registry keys related to startup programs and service configurations, particularly HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
• Implement frequent auditing of authentication logs for increased failed login attempts and unexpected credential dumping activity.

Analyst Notes

This investigation highlights the importance of maintaining a robust security posture and the need for continuous monitoring of network traffic for anomalous behaviors. Additionally, employee training on identifying phishing attempts remains crucial in preventing initial access, as human error continues to be one of the most significant vulnerabilities in the cybersecurity landscape.

Source: Original Report