Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting MS-SQL servers that are vulnerable to malware attacks.

MS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of attack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers.

The attacker or the malware usually scans port 1433 to check for MS-SQL servers open to the public. It then performs brute forcing or dictionary attacks against the admin account, a.k.a. “sa” account to attempt logging in. Even if the MS-SQL server is not open to the public, there are types such as Lemon Duck malware that scans port 1433 and spreads for the purpose of lateral movement in the internal network.

Figure 1. List of Passwords for Dictionary Attack Used by LemonDuck

Managing admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers. Other malware besides Lemon Duck that target MS-SQL server includes CoinMiner malware such as Kingminer and Vollgar.

If the attacker succeeds to log in to the admin account through these processes, they use various methods including the xp_cmdshell command to execute the command in the infected system. Cobalt Strike that has recently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process as shown below.

Figure 2. Process Tree

Cobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority of attacks including APT and ransomware. Malware that has recently been discovered is an injector that decodes the encoded Cobalt Strike inside, and executes and injects the normal program MSBuild.exe.

Figure 3. Cobalt Strike settings data

Cobalt Strike that is executed in MSBuild.exe has an additional settings option to bypass detection of security products, where it loads the normal dll wwanmm.dll, then writes and executes a beacon in the memory area of the dll. As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection.

Figure 4. Shellcode and strings used for wwanmm.dll

Although it is not certain in which method the attacker dominated MS-SQL and installed the malware, as the detection logs of Vollgar malware that was previously mentioned were discovered, it can be assumed that the targeted system had inappropriately managed the account credentials.

AhnLab’s ASD infrastructure shows numerous logs of Cobalt Strike over the past month. Seeing that the download URLs and the C&C server URL are similar, it appears that most of the attacks were by the same attacker. IOC of Cobalt Strike over the month is shown in the list below.

AhnLab products are equipped with process memory-based detection method and behavior-based detection feature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally.

[File Detection]
– Trojan/Win.FDFM.C4959286 (2022.02.09.00)
– Trojan/Win.Injector.C4952559 (2022.02.04.02)
– Trojan/Win.AgentTesla.C4950264 (2022.02.04.00)
– Infostealer/Win.AgentTesla.R470158 (2022.02.03.02)
– Trojan/Win.Generic.C4946561 (2022.02.01.01)
– Trojan/Win.Agent.C4897376 (2022.01.05.02)
– Trojan/Win32.CobaltStrike.R329694 (2020.11.26.06)

[Behavior Detection]
– Malware/MDP.Download.M1197


Cobalt Strike (Stageless)
– ae7026b787b21d06cc1660e4c1e9e423
– 571b8c951febb5c24b09e1bc944cdf5f
– e9c6c2b94fc83f24effc76bf84274039
– 828354049be45356f37b34cc5754fcaa
– 894eaa0bfcfcdb1922be075515c703a3
– 4dd257d56397ec76932c7dbbc1961317
– 450f7a402cff2d892a7a8c626cef44c6

CobaltStrike (Stager)
– 2c373c58caaaca0708fdb6e2b477feb2
– bb7adc89759c478fb88a3833f52f07cf

– hxxp://92.255.85[.]83:7905/push
– hxxp://92.255.85[.]83:9315/en_US/all.js
– hxxp://92.255.85[.]86:80/owa/
– hxxp://92.255.85[.]90:81/owa/
– hxxp://92.255.85[.]90:82/owa/
– hxxp://92.255.85[.]92:8898/dot.gif
– hxxp://92.255.85[.]93:18092/match
– hxxp://92.255.85[.]93:12031/
– hxxp://92.255.85[.]94:83/ga.js

Beacon Download URL
– hxxp://92.255.85[.]93:18092/jRQO
– hxxp://92.255.85[.]93:12031/CbCt

Download URL
– hxxp://45.64.112[.]51/dol.exe
– hxxp://45.64.112[.]51/mr_robot.exe
– hxxp://45.64.112[.]51/lion.exe
– hxxp://81.68.76[.]46/kk.exe
– hxxp://81.68.76[.]46/uc.exe
– hxxp://103.243.26[.]225/acrobat.exe
– hxxp://103.243.26[.]225/beacon.exe
– hxxp://144.48.240[.]69/dola.exe
– hxxp://144.48.240[.]85/core.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers appeared first on ASEC BLOG.

Article Link: Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers - ASEC BLOG