It should be noted that all the following activities described in this blog post were performed by the injected WerFault.exe process. However, using the Vision One platform, we collected enough information to be able to state that the downloaded payload managed to spawn the WerFault.exe process and inject into it the system to host another Cobalt Strike beacon. During our research, we were not able to collect the payload from the remote server. The shellcode then reads the server response, allocates memory also using the VirtualAlloc function, copies the downloaded content to the allocated region, and then transfers the execution to a hard-coded offset within the downloaded content.īecause of the way malleable command-and-control (C&C) stagers work, the behavior depends on the content being downloaded. The stager performs an HTTP GET request to a remote server mimicking a normal jQuery request to the path /jquery-3.5.1.
Based on that information, we started the analysis of the Exchange Server. Upon checking, we noticed several suspicious web shells being dropped on the local Microsoft Exchange Server. We begin with the Trend Micro Vision One platform, where we noticed an incident being created in the Vision One console with a few workbenches related to it. We also dive deeper into the notable post-exploitation routines that were used until the host’s encryption. In this blog entry, we discuss the kill chain used by the malicious actors behind this incident and how we used the Trend Micro Vision One platform to track the threats involved in the incident. This vulnerability abuses the New-Mailbo圎xportRequest PowerShell command to export the user mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange Server. In this incident, we identified the exploitation of CVE-2021-31207.
Cobalt strike beacon source code windows#
Our data indicates that BlackCat is primarily delivered via third-party frameworks and toolsets (for example, Cobalt Strike) and uses exploitation of exposed and vulnerable applications (for example, Microsoft Exchange Server) as an entry point.īlackCat has versions that work on both Windows and Linux operating systems and in VMware’s ESXi environment.
BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model. We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities.
0 kommentar(er)
