Silver and Cobalt Strike are sophisticated adversary simulation tools that are widely used in penetration testing and red team operations.
These tools enable security researchers to emulate advanced persistent threats by offering features like “covert command and control channels” and “post-exploitation capabilities.”
Security analysts at “The DFIR Report” recently identified Nitrogen malware as “IP Scanner” that was found deploying Sliver and Cobalt Strike on hijacked server.
Deploying Silver & Cobalt Strike
A user unknowingly downloaded malware masquerading as “Advanced IP Scanner” from a fraudulent website promoted via “Google ads,” initiating a “Nitrogen campaign.”
The malicious payload was delivered as a “ZIP file,” that contained a “legitimate Python executable” (“setup.exe”) that side-loaded a “modified python311.dll,” executing the Nitrogen code.
Leveraging AI for enhanced security => Free Webinar
This led to the deployment of “Sliver” and “Cobalt Strike” beacons, sophisticated “remote access tools,” obfuscated using “Py-Fuscate.”
Using “PowerView” and “BloodHound” to map the network and Active Directory structure the attacker conducted extensive reconnaissance over eight days.
Not only that even they also performed lateral movement via “Windows Management Instrumentation (WMI),” “Remote Desktop Protocol (RDP),” and “Pass-the-Hash techniques.”
While by dumping LSASS memory the credentials were harvested. Here the attacker maintained persistence through “scheduled tasks,” “registry modifications (WinlogonUserinit key),” and “created tasks” mimicking legitimate processes like ‘OneDrive’ and ‘Microsoft Edge.’
They employed various defense evasion techniques like “API unhooking,” “sleep obfuscation,” and bypassing ‘AMSI,’ ‘WLDP,’ and ‘ETW.’
Process injection was used to elevate privileges by injecting into “winlogon.exe.” The data exfiltration was accomplished using an open-source backup tool “Restic,” and transferring files to a server in “Bulgaria.”
In the final phase, the attacker deployed “BlackCat” ransomware across the network using “Server Message Block (SMB)” protocol and “PsExec.”
They forced systems to reboot into “Safe Mode” with Networking to bypass security measures, by leveraging the ‘compromised backup service account’ for auto-login via “Winlogon.”
This helps to widespread the file encryption, and leaves ransom notes on the “affected hosts.” The Time to Ransomware (TTR) was approximately 156 hours, spanning over eight calendar days from initial compromise to full deployment, reads the DFIR report.
The incident involved threat actors using C2 servers located in “Bulgaria” and “the Netherlands.”
On ‘port 441’ threat actors employed “Cobalt Strike” with specific IP addresses (“91.92.250.158,” “91.92.251.240,” “94.156.67.175,” “94.156.67.180”) and an “untrusted HTTPS certificate” (serial number “1657766544761773100”).
With invalid certificates, the attackers also used “RedGuard” and “Sliver” on servers. To transfer sensitive information over ‘HTTP’ to a server at “195.123.226.84:8000,” they used “Restic”
Across the network to deploy batch scripts (‘up.bat’ and ‘1.bat’), the threat actors executed remote commands using “PsExec.”
These scripts performed the following critical actions:-
- Resetting passwords.
- Modifying system boot configurations.
- Setting up auto-login mechanisms.
Besides this, the final stage involved deploying ransomware, which ‘encrypted files,’ ‘deleted volume shadow copies’ to prevent easy recovery, and left a ‘ransom note.’
Throughout the attack, the threat actors used various Windows utilities like “bcdedit,” “reg,” and “shutdown” to manipulate system settings and ensure persistence.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar