Home
Threat Intelligence Posts
Malware Intelligence

Cobalt Strike Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Cobalt Strike malware delivered by Iranian APT group MuddyWater, weaponizes Word documents.
Updated on
April 19, 2023
Published on
December 31, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
 Malware Intelligence
Potential Threat Actors
 MuddyWater
Targeted Platform
 Windows
  The Iranian APT MuddyWater potentially uses a new strand of malware. The new variant weaponizes Word documents, embedded with malicious macros, that are sent to the victims as part of a phishing attack. The macros then launch a Powershell script that further downloads and x. The second Powershell script downloads a legitimate image that contains a Cobalt Strike malware encoded in the pixels of the image.

Malware Execution

When the malware is executed in the infected environment, it launches a Powershell script which further downloads a second Powershell script which is hosted on Github. The Powershell script then downloads an image [PNG] from the image hosting platform Imgur.com, which hides an encoded Cobalt Strike payload in its pixels. After downloading the image the Powershell script decodes the payload which inturn enables the Cobalt Strike beacon to connect to the attackers’ infrastructure. Cobalt Strike masquerades as eicar, an anti-malware test file, to connect to the C2 server. The account that holds the Powershell script on Github. Powershell script on Github  

Tactics, Techniques, and Procedures

Tactics
Techniques
Initial Access T1566.001 Phishing: Spear Phishing Attachment
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Defense Evasion T1140 Deobfuscate/Decode Files or Information
T1027.003 Obfuscated Files or Information: Steganography
Command and Control T1001.002 Data Obfuscation: Steganography
 

Indicators of Compromise

  • d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
  • Ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
  • Domain:Port : Mazzion1234-44451[.]portmap[.]host:44451
  • Url: hxxp://Mazzion1234-44451.portmap.host/fVRO

Impact

Technical Impact:
  • The malware is responsible of downloading Cobalt Strike malware
  • The malware can lead to further attacks on the victims
Business Impact:
  • Privacy violation
  • Victims are exposed to other attacks

Mitigation

  • Be careful with any attachment delivered by emails
  • Stay updated with latest patching
  • Apply effective application control policies
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts
Hoze shell script dropped along with XMRig miners on misconfigured SSH Servers by Brute Forcing
September 8, 2023
3,20,000+ Patient Records From Ayush Jharkhand Gov. In Shared On Dark Web Hacking Forums
September 4, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more