The discovery highlights the ongoing misuse of cybersecurity tools by threat actors to facilitate sophisticated cyber attacks.

Cobalt Strike, widely used by security professionals for testing network defenses, has become a favorite among cybercriminals due to its powerful post-exploitation capabilities.

The latest version, 4.10, released in July 2024, introduced advanced features such as BeaconGate for enhanced evasion, Postex Kit for system interaction, and Sleepmask-VS to reduce detection risks.

While these updates were designed to improve legitimate red team operations, they also offer malicious actors new opportunities to evade detection and execute attacks.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Malicious Infrastructure Discovered

Hunt’s investigation uncovered a group of servers linked by a unique watermark identifier, “688983459,” embedded in the Cobalt Strike software.

This watermark was found across seven IP addresses hosted primarily on Amazon’s infrastructure, with one server using Microsoft’s services.

These servers were configured to mimic legitimate organizations through domains such as “downloads.helpsdeskmicrosoft[.]com” and “public.open-dns[.]uk,” suggesting a targeted phishing campaign aimed at deceiving users.

The domains and configurations indicate that the attackers are likely targeting specific sectors or entities. Notably, the servers lacked recent TLS certificates, possibly to avoid detection or because the infrastructure is still under development.

Key technical indicators include shared SSH keys, configuration patterns, and public keys across the identified servers.

The beacon configurations revealed endpoints like “http://downloads.yourcoupons[.]net/jquery-3.3.1.min.js” and user agents designed to blend in with normal traffic.

Payloads extracted from these servers allowed researchers to further analyze the attackers’ tactics, techniques, and procedures (TTPs).

Researchers also identified another cluster of servers using a watermark associated with pirated versions of Cobalt Strike.

This cluster exhibited significant variation in versions and configurations but underscored the persistent misuse of cracked versions of the tool in cyber campaigns.

This discovery underscores the dual-edged nature of cybersecurity tools like Cobalt Strike. While they are invaluable for legitimate security testing, their misuse by threat actors poses significant risks to organizations worldwide.

The findings highlight the importance of monitoring both common and rare watermarks within such tools to detect emerging threats.

Cybersecurity teams are urged to remain vigilant against infrastructure impersonating trusted brands and to enhance defenses against advanced evasion techniques enabled by tools like Cobalt Strike.

As attackers continue to adapt, proactive threat hunting and robust detection mechanisms remain critical in mitigating risks from such malicious campaigns.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

The post Researchers Uncover Malicious Use Of Cobalt Strike Servers In Cyber Attacks appeared first on Cyber Security News.

The attack, attributed to the threat group TAG-112, highlights the ongoing digital threats faced by ethnic and religious minorities in China.

Recorded Future observed that hackers attacked the targeted websites, Tibet Post and Gyudmed Tantric University, in late May 2024. Both sites use the Joomla content management system, which the attackers exploited to inject malicious JavaScript code.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

The hackers employed a clever social engineering tactic to trick visitors into downloading the malware:-

1. Malicious JavaScript detects if the visitor is using a Windows operating system.
2. If compatible, the script initiates a connection to the attacker’s command-and-control domain.
3. A spoofed TLS certificate error page mimics Google Chrome’s warning.
4. Users are prompted to download a “security certificate” to resolve the issue.
5. Clicking the download link initiates the Cobalt Strike payload.

Cobalt Strike: A Powerful Cyber Weapon

Cobalt Strike is primarily designed as a penetration testing tool and has become a favorite among cybercriminals and state-sponsored actors. It provides robust capabilities for:-

• Remote access
• Lateral movement within networks
• Command and control operations

This campaign identified six distinct Cobalt Strike Beacon samples, all communicating with the attackers’ infrastructure.

TAG-112’s operations share similarities with another Chinese APT known as TAG-102 (Evasive Panda). Both groups target Tibetan communities and use similar tactics. However, TAG-112 appears less sophisticated, relying on off-the-shelf malware rather than custom tools.

This campaign underscores China’s ongoing efforts to monitor and control ethnic and religious minorities. The targeting of Tibetan websites aligns with the Chinese government’s broader strategy of surveillance and information control.

To protect against such attacks, organizations should implement robust intrusion detection and prevention systems, conduct regular user training on phishing and social engineering tactics, enable real-time monitoring for Cobalt Strike C&C servers, and maintain vigilant network traffic analysis.

As cyber-espionage campaigns continue to evolve, potential targets, especially minority groups and organizations, must remain vigilant and prioritize cybersecurity measures. The TAG-112 attack is an important reminder of the persistent digital threats communities face under scrutiny from state actors.

Attend a Free Webinar on How to Maximize Cybersecurity Program ROI

The post China-Nexus Hackers Hijack Websites to Deliver Cobalt Strike Malware appeared first on Cyber Security News.