It is an APT (Advanced persistent Threat) which is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. Ĭobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.Operation Cobalt Kitty What went inside Operation Cobalt Kitty? ![]() Ĭobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine. Ĭobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine. Ĭobalt Group has used regsvr32.exe to execute scripts. Ĭobalt Group has used odbcconf to proxy the execution of malicious DLL files. Ĭobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script. Supply Chain Compromise: Compromise Software Supply ChainĬobalt Group has compromised legitimate web browser updates to deliver a backdoor. Software Discovery: Security Software DiscoveryĬobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine. Ĭobalt Group has created Windows tasks to establish persistence. Ĭobalt Group has used Remote Desktop Protocol to conduct lateral movement. Ĭobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost. Ĭobalt Group has used the Plink utility to create SSH tunnels. Ĭobalt Group has injected code into trusted processes. Ĭobalt Group has sent emails with URLs pointing to malicious documents. xls, archives containing LNK files, and password protected archives containing. Ĭobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Ĭobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete. Obfuscated Files or Information: Command ObfuscationĬobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4. Ĭobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning. Inter-Process Communication: Dynamic Data ExchangeĬobalt Group has sent malicious Word OLE compound documents to victims. The group's JavaScript backdoor is also capable of downloading files. Ĭobalt Group has used public sites such as and to upload files and then download them to victim computers. Ĭobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks. ![]() Ĭobalt Group has used exploits to increase their levels of rights and privileges. Ĭobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759. Įncrypted Channel: Asymmetric CryptographyĬobalt Group has used the Plink utility to create SSH tunnels. Ĭreate or Modify System Process: Windows ServiceĬobalt Group has created new services to establish persistence. Ĭommand and Scripting Interpreter: JavaScriptĬobalt Group has executed JavaScript scriptlets on the victim's machine. ![]() Ĭommand and Scripting Interpreter: Visual BasicĬobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution. The group has used an exploit toolkit known as Threadkit that launches. Ĭommand and Scripting Interpreter: Windows Command ShellĬobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. Ĭommand and Scripting Interpreter: PowerShellĬobalt Group has used powershell.exe to download and execute scripts. īoot or Logon Initialization Scripts: Logon Script (Windows)Ĭobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript. ![]() The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike. īoot or Logon Autostart Execution: Registry Run Keys / Startup FolderĬobalt Group has used Registry Run keys for persistence. Ĭobalt Group has used DNS tunneling for C2. Enterprise Layer download view Techniques Used DomainĪbuse Elevation Control Mechanism: Bypass User Account ControlĪpplication Layer Protocol: Web ProtocolsĬobalt Group has used HTTPS for C2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |