cyble-poc-fake-cobalt-strike

Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon

Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500. Both the malicious samples were available on GitHub. Interestingly both repositories belong to the same profile, indicating the possibility that Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community.

Figures 1 and 2 show the malware hosted on GitHub.

Figure 1: Exploit for CVE-2022-26809
Figure 2: Exploit for CVE-2022-24500

TA used this unique technique to lure individuals into executing the malware. In the last 24 hours, TAs were also discussing these exploits on the cybercrime forum. For example, we came across a post where TAs discussed CVE-2022-24500, pointing to the fake POC GitHub repository, as shown in Figure 3.

Figure 3: Post on a cybercrime forum

Technical Details:

The malware is a .Net binary packed with ConfuserEX, a free, open-source protector for .NET applications. The figure below shows the file details.

Figure 4: File details

The malware does not have any exploit code targeting the above vulnerabilities. Instead, it prints a fake message showing that it is trying to exploit and executes shellcode, as shown in Figure 5.

Figure 5: Prints fake message

The malware uses the Sleep() function to print the messages after a small interval, to appear more legitimate. Figure 6 shows the code snippet of malware that print fake messages on execution.

Figure 6: Unpacked Code

After printing the fake message, the malware executes the hidden PowerShell command using cmd.exe to deliver the actual payload. The below figure depicts the network communication to a command-and-control server for downloading the Cobalt-Strike Beacon.

Figure 7: Network communication

The Cobalt-Strike Beacon can be used for other malicious activities such as downloading additional payloads, lateral movement, etc. This fact possibly indicates that the infosec community is also an active target of attackers.

Conclusion

TAs are adopting various techniques to carry out attacks. In this case, we witnessed how the TA used fake POCs to lure the victims into executing the malware. Usually, people working in information security or TAs use exploits to check for vulnerabilities. Hence, this malware might only target people from this community. Therefore, it becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Avoid downloading files from unknown websites.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution  T1204 User Execution 
Defense Evasion T1140Deobfuscate/Decode Files or Information
Command and Control T1071Application Layer Protocol 

Indicators of Compromise (IOCs)

Indicators Indicator type Description 
192.10.22.112 45.197.132.72IPC2
7e0c8be0d03c75bbdc6fd286a796434a 0e2e0d26caa32840a720be7f67b49d45094861cb 6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0MD5 SHA-1  SHA-256 Malicious binary
fdcf0aad080452fa14df221e74cca7d0 7431846d707140783eea466225e872f8757533e3 fa78d114e4dfff90a3e4ba8c0a60f8aa95745c26cc4681340e4fda79234026fd  MD5 SHA-1  SHA-256 Malicious Binary
Scroll to Top