About

Security round up for 22.09.21

The following have been the major reported security incidents, malware, ransomware on the prowl on 22nd September 2021.

Cobalt Strike

Cobalt strike servers have been found to be active since the last week. More than 1000 instances of the Cloud strike servers have been traced by different security researchers in the current week, starting from 18.09.21. For the uninitiated, Cobalt Strike is used by penetration testers to find vulnerabilities on corporate networks. It also doubles up for being used to place malwares, malicious payloads for remote code execution.

In the company of a ransomware group, Cobalt Strike could pose major ransomware threats to the corporate networks and assets. One should take normal precautions to protect against threats emanating from a ransomware for Cobalt Strike.

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

You can read more about Cobalt Strike on https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AgentTesla

AgentTesla is a malware that has been seen with an increased activity over the previous week, beginning September 20th, 2021. We can see over 150 indicators of compromise over the past 4 days, as the malware seeks to target new hosts. Agent Tesla is a malware that seeks to steal financial data through the RAT or remote access trojan. It plants a keylogger on the attacked system and all the details of a remote user get shared with the attacker. A good anti-virus and malware blocker will be able to take care of the threat coming in from AgentTesla. We suggest to deploy an enterprise level malware and anti-virus solution on your system and network to handle threats like AgentTesla.

Hancitor Malware

Last night, there have been more than 200 instances of Hancitor IOCs or indicators of compromise. The malware deploys malicious payloads on the affected hosts, which are then pushed to compromise the end user systems. The Hancitor malware may use email phishing to induce users into clicking malicious links. It could also send in macros in office documents in email attachments that could lead the user to downloading malicious payloads on the system. Therefore, Hancitor malware primarily relies on using emails to target vulnerable systems. It can, actually, use any social engineering technique to target a vulnerable system.

Worryingly, Hancitor activity is at a monthly high and we strongly suggest using a good quality anti-malware or anti-virus protection for your system.

SquirrelWaffle

This is a relatively new threat, that is supposedly linked to the Cobalt Strike threat. ALthough, the number of validated indicators of compromise for the Squirrelwaffle is less than 50, the impact could be a more intense effect. This is on account of the threat posed by the Cobalt Strike tool set, that may eventually cause unpredictable threats in the shape of remote code execution or even ransomware.

RATs – Remote Access Trojans

Multiple different RATs or remote access trojans have been found to leave indicators of compromise all over the world. Some of these RATs that have been found to be active over the past couple of days include

Nanocare RAT

Nanocore is a Remote Access Tool that has been used to steal credentials, financial data and also to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

A good anti-virus and anti-malware that is frequently updated with the virus definitions should come in handy against this threat.

AsyncRAT

Async RAT is seen in operation during the last week. It is one of the remote access trojans that will seek to steal data from a compromised system and share it with an attacker on a remote system.

Raccoon

Raccoon is another remote threat that tries to steal and collects “passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies”. The number of indicators of compromise remains manageable and the threat can be salvaged through a good and updated anti-virus and anti-malware.

Summary

Hancitor and Cobalt Strike remain the main threats for yesterday and today, with Hancitor picking up more activity and showing more indicators of compromise all through the day. Keep an eye for some of the pre-existing and known threat emanating in the form of remote access trojans.