{"id":89961,"date":"2021-06-09T11:09:34","date_gmt":"2021-06-09T05:39:34","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89961"},"modified":"2023-08-08T17:52:38","modified_gmt":"2023-08-08T12:22:38","slug":"cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cobalt-strike-2021-analysis-of-malicious-powershell-attack-framework\/","title":{"rendered":"Cobalt Strike 2021 \u2013 Analysis of Malicious PowerShell Attack Framework"},"content":{"rendered":"<p>Cobalt Strike is a widespread threat emulation tool. It is one of the most powerful network attack tools available for penetration testers in the last few years used for various attack capabilities and as a command and control framework.<\/p>\n<p>Recently, Cobalt Strike has been used in various ransomware campaigns like Povlsomware Ransomware,\u00a0 DarkSide Ransomware.<\/p>\n<p>Povlsomware Ransomware&#8217;s cobalt strike compatibility feature allows it to perform in-memory loading and execution. In the case of DarkSide Ransomware, attackers deployed a persistent Cobalt Strike backdoor to few systems and then acquired administrative credentials. Additionally, stolen credentials were used to deploy the Darkside Ransomware. Although the Cobalt strike is capable of many different types of attacks, the following are some major attack modules.<\/p>\n<ul>\n<li><strong>System profiler<\/strong>\n<ul>\n<li>It is a module for detecting which version of applications is used by the target.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Website\u00a0clone<\/strong>\n<ul>\n<li>Creates a local copy of a website and record the submitted data.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Scripted web delivery<\/strong>\n<ul>\n<li>PowerShell or Python one-liner, i.e., one continuous line of command, is used to download and run the beacon payload.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Java\u00a0Signed\u00a0Applet\u00a0Attack<\/strong>\n<ul>\n<li>Starts a web server hosting a self-signed Java applet. A visitor is compromised as soon as grants this permission to run the applet.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Spear\u00a0phishing<\/strong>\n<ul>\n<li>Generates spear-phishing messages using the personalized message as a template.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Browser\u00a0Pivoting<\/strong>\n<ul>\n<li>Cobalt\u00a0strike\u00a0module\u00a0for\u00a0stealing\u00a0cookies\u00a0and\u00a0session\u00a0of\u00a0targeted\u00a0user\u2019s\u00a0browser.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>\u201cScripted\u00a0web\u00a0delivery\u201d\u00a0PowerShell\u00a0framework.<\/strong><\/p>\n<p>One of the most used features in cobalt strikes is an attack using <a href=\"https:\/\/blogs.quickheal.com\/powershell-an-attackers-paradise\/\">PowerShell<\/a>. PowerShell is a scripting language and a command-line shell. PowerShell is a legitimate one, but it can run a script directly in memory. Utilizing this feature, an attacker can perform remote code execution. Cobalt strike has a scripted web delivery feature that allows it to download and run the payload through PowerShell. Once the attacker gets the session, an attacker can interact with the victim\u2019s system, extract the information, and do post-exploitation activities.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_89986\" aria-describedby=\"caption-attachment-89986\" style=\"width: 532px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89986\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.1-Attack-Flow-532x390.png\" alt=\"Attack Flow Diagram\" width=\"532\" height=\"390\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.1-Attack-Flow-532x390.png 532w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.1-Attack-Flow-300x220.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.1-Attack-Flow.png 619w\" sizes=\"(max-width: 532px) 100vw, 532px\" \/><figcaption id=\"caption-attachment-89986\" class=\"wp-caption-text\"><em>Fig.1 Attack Flow<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><strong>Cobalt\u00a0Strike\u00a0PowerShell\u00a0web\u00a0delivery\u00a0analysis:<\/strong><\/p>\n<p>Here is an example of a common PowerShell script embedded in malicious documents.<\/p>\n<figure id=\"attachment_89987\" aria-describedby=\"caption-attachment-89987\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89987\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.2-PowerShell-script-650x106.png\" alt=\"PowerShell script\" width=\"650\" height=\"106\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.2-PowerShell-script-650x106.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.2-PowerShell-script-300x49.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.2-PowerShell-script.png 689w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89987\" class=\"wp-caption-text\"><em>Fig.2 PowerShell script<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>Here obfuscation technique is used, and the data is encoded with base64 encoding. The keyword \u201cw-hidden\u201d is used to instruct PowerShell and not create a visible window. Here is the decoded form of the\u00a0 same PowerShell script:<\/p>\n<figure id=\"attachment_89988\" aria-describedby=\"caption-attachment-89988\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89988\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.3-PowerShell-script-part_1-650x119.png\" alt=\"PowerShell script part_1\" width=\"650\" height=\"119\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.3-PowerShell-script-part_1-650x119.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.3-PowerShell-script-part_1-300x55.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.3-PowerShell-script-part_1.png 688w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89988\" class=\"wp-caption-text\"><em>Fig.3 PowerShell script part_1<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_89989\" aria-describedby=\"caption-attachment-89989\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89989\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.4-PowerShell-script-part_2-650x34.png\" alt=\"PowerShell script part_2\" width=\"650\" height=\"34\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.4-PowerShell-script-part_2-650x34.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.4-PowerShell-script-part_2-300x16.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.4-PowerShell-script-part_2.png 691w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89989\" class=\"wp-caption-text\"><em>Fig.4 PowerShell script part_2<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>The decoded data is divided into two parts. At the start, the information is encoded with base64, and at the end of the file, the data is encoded with base64 and compressed with &#8220;Gzip.&#8221; A similar obfuscated script is captured in network traffic as well.<\/p>\n<figure id=\"attachment_89990\" aria-describedby=\"caption-attachment-89990\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89990\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic-650x76.png\" alt=\"Captured network traffic\" width=\"650\" height=\"76\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic-650x76.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic-300x35.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic-768x90.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic-789x92.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.5-Captured-network-traffic.png 1024w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89990\" class=\"wp-caption-text\"><em>Fig.5 Captured network traffic<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_89991\" aria-describedby=\"caption-attachment-89991\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89991\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.6-Python-script-650x115.png\" alt=\"Python script\" width=\"650\" height=\"115\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.6-Python-script-650x115.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.6-Python-script-300x53.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.6-Python-script.png 692w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89991\" class=\"wp-caption-text\"><em>Fig.6 Python script<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>After decoding it using the above python script for base64 decode and then decompressing it using \u201cGzip,\u201d\u00a0 it resulted in some interesting data.<\/p>\n<figure id=\"attachment_89992\" aria-describedby=\"caption-attachment-89992\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89992\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.7-Decoded-PowerShell-script-part_1-650x190.png\" alt=\"Decoded PowerShell script part_1\" width=\"650\" height=\"190\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.7-Decoded-PowerShell-script-part_1-650x190.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.7-Decoded-PowerShell-script-part_1-300x88.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.7-Decoded-PowerShell-script-part_1.png 704w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89992\" class=\"wp-caption-text\"><em>Fig.7 Decoded PowerShell script part_1<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>In the first function func_get_proc_address <strong>GetMethod<\/strong> is used to access the UnsafeNativeMethods like\u00a0 <strong>GetModuleHandle<\/strong> and <strong>GetProcAddress<\/strong> from system.dll. By looking at the name of the first function, we can say that it is getting the address of the given method. The resultant of all these activities is to allocate space in memory for shell-code.<\/p>\n<figure id=\"attachment_89993\" aria-describedby=\"caption-attachment-89993\" style=\"width: 555px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89993\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.8-Decoded-PowerShell-script-part_2.png\" alt=\"Decoded PowerShell script part_2\" width=\"555\" height=\"67\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.8-Decoded-PowerShell-script-part_2.png 555w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.8-Decoded-PowerShell-script-part_2-300x36.png 300w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><figcaption id=\"caption-attachment-89993\" class=\"wp-caption-text\"><em>Fig.8 Decoded PowerShell script part_2<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_89994\" aria-describedby=\"caption-attachment-89994\" style=\"width: 415px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89994\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.9-Decoded-PowerShell-script-part_3.png\" alt=\"Decoded PowerShell script part_3\" width=\"415\" height=\"69\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.9-Decoded-PowerShell-script-part_3.png 415w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.9-Decoded-PowerShell-script-part_3-300x50.png 300w\" sizes=\"(max-width: 415px) 100vw, 415px\" \/><figcaption id=\"caption-attachment-89994\" class=\"wp-caption-text\"><em>Fig.9 Decoded PowerShell script part_3<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>Here at the third layer of decoding, we can again see some data base64 encoded in fig 8, and this data is encoded\/encrypted using XOR. For decryption purposes, we have used XOR with key \u201c35,\u201d as shown in\u00a0 \u00a0 fig 9.<\/p>\n<figure id=\"attachment_89995\" aria-describedby=\"caption-attachment-89995\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89995\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.10-Decrypted-data-650x235.png\" alt=\"Decrypted data\" width=\"650\" height=\"235\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.10-Decrypted-data-650x235.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.10-Decrypted-data-300x109.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.10-Decrypted-data.png 691w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89995\" class=\"wp-caption-text\"><em>Fig.10 Decrypted data<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>After decrypting, we found some data in the non-readable form. But when we checked for strings, we found the cobalt strike\u2019s team server IP address and some info regarding the user-agent. It might have established a remote connection to that IP. To see the actual data, we have to convert non-readable data into hex.<\/p>\n<figure id=\"attachment_89996\" aria-describedby=\"caption-attachment-89996\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-89996\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig.11-Shellcode-650x111.png\" alt=\"Shellcode\" width=\"650\" height=\"111\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.11-Shellcode-650x111.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.11-Shellcode-300x51.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2021\/06\/Fig.11-Shellcode.png 694w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-89996\" class=\"wp-caption-text\"><em>Fig.11 Shellcode<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>When we converted the data into hex, we obtained the actual shell-code data used to establish a remote connection. After that, it can do post-exploitation activities like taking screenshots, port scanning and browser pivoting, etc. Additionally, the Cobalt strike provides lateral movement using SMB and TCP beacons once the attacker gets initial access.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Conclusion:<\/strong><\/p>\n<p>This is an overview of the Cobalt Strike\u2019s scripted web delivery PowerShell attack framework. Attackers keep experimenting with using new tricks and techniques to bypass the detection, like attacks involving document files, script files, etc. Scripts are easy to modify, obfuscate, and upon successful execution, provide initial access to attackers so that they can do post-exploitation activities easily. Additionally, cobalt Strike can be dropped using phishing attacks. To stay safe from such attacks, users should identify suspicious emails by validating the sender\u2019s email address and verifying the links and attachments.<\/p>\n<p><a href=\"https:\/\/www.quickheal.co.in\/\">Quick Heal<\/a> customers are protected from such malicious attacks. However, it is recommended to keep your endpoint security solutions updated to keep yourself safe.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Subject\u00a0Matter\u00a0Expert:<\/strong><\/p>\n<p>Amruta Wagh<\/p>\n<p>Saurabh Sharma<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cobalt Strike is a widespread threat emulation tool. It is one of the most powerful network attack tools available for penetration testers in the last few years used for various attack capabilities and as a command and control framework. Recently, Cobalt Strike has been used in various ransomware campaigns like Povlsomware Ransomware,\u00a0 DarkSide Ransomware. Povlsomware [&hellip;]<\/p>\n","protected":false},"author":89,"featured_media":90056,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,24],"tags":[1824,534,22,1829,1825,49,1688,1828,1827,1826,102],"class_list":["post-89961","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-malware","tag-cobaltstrike","tag-cybersecurity","tag-email-malware","tag-mailspam","tag-malicious","tag-malware","tag-powershell","tag-red-teaming-toolkit","tag-red-teaming-tools","tag-script","tag-virus"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89961"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/89"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89961"}],"version-history":[{"count":52,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89961\/revisions"}],"predecessor-version":[{"id":91468,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89961\/revisions\/91468"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90056"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}