A malicious campaign was found using a technique called Domain Fronting to mask command and control traffic by exploiting a legitimate Myanmar government-owned domain to route communications to a server controlled by an attacker in an attempt to evade the detection.
The threat, which was observed in September 2021, deployed Cobalt Strike payloads as a springboard to launch further attacks, with the adversary using a domain associated with the Myanmar Digital News Network, a state-owned digital newspaper, such as facade for their Beacons. .
“When Beacon is launched, it submits a DNS query for a legitimate, high-reputation domain hosted behind the Cloudflare infrastructure and changes the header of subsequent HTTPs requests to ask the CDN to direct traffic to a host controlled by an attacker Cisco researchers Talos Chetan Raghuprasad, Vanja Svajcer and Asheer Malhotra said in a technical analysis released Tuesday.
Originally released in 2012 to address perceived gaps in the Metasploit penetration testing and hacking framework, Cobalt Strike is a popular red team software used by penetration testers to emulate threat actor activity in a network. .
But as the utility simulates attacks by actually performing those attacks, the software has increasingly emerged as a formidable weapon in the hands of malware operators, who use it as an initial access payload allowing attackers to perform a wide range of post-attacks. operating activities, including lateral movements and deploy a wide range of malware.
|Cobalt Strike Beacon Traffic|
While malicious actors can get Cobalt Strike by purchasing the tool directly from the vendor’s website for $ 3,500 per user for a one-year license, it can also be purchased on the dark web through underground hacking forums. , or, alternatively, get your hands on cracked, illegitimate versions of the software.
In the latest campaign seen by Talos, running the beacon causes the victim machine to send the initial DNS request to the government-owned host, while the actual command and control (C2) traffic is redirected stealthily towards a controlled attacker. server, effectively mimicking legitimate traffic patterns in an attempt to evade detection by security solutions.
“While the default C2 domain was specified as www[.]mdn[.]government[.]mm, the traffic from the beacon has been redirected to the de facto C2 test[.]sweet lemon[.]net via the HTTP Get and POST metadata specified in the tag configuration, “the researchers said.” The DNS query for the initial host resolves to an IP address owned by Cloudflare which allows the attacker to use the domain front and send the traffic to the actual C2. host test[.]sweet lemon[.]net, also commissioned by Cloudflare. “
Server C2, however, is no longer active, according to the researchers, who noted that it is a Windows server running Internet Information Services (IIS).
“Domain fronting can be accomplished with a redirect between the malicious server and the target. Malicious actors can misuse various content delivery networks (CDNs) to configure service content redirects to content served by C2 hosts controlled by an attacker, ”the researchers said. . “Defenders should monitor their network traffic even to high reputation domains to identify potential domain front attacks with Cobalt Strike and other offensive tools.”