

COBALT STRIKE MALWARE CODE
But we were able to salvage some of the in-memory code from infected computers where the malware was still running.

Elusive ransomware payloadsīecause of the ephemeral nature of the placement of the ransomware payload, analysts had difficulty obtaining samples for research. The attackers only trigger these chains of events during an active attack, placing the ransomware binary on the C2 server so that it can be retrieved by this process only while the attack is ongoing, and removing it immediately afterwards. If that works successfully, the malware then contacts the “312-s-fourth-st.html” page on the same C2 server. The initial connection to the C2 server is to a page named Menus.aspx on the server That page delivers the next payload, which the first one loads into memory - another Cobalt Strike shellcode loader that contains the reflective DLL loader instructions. The sample Cobalt Strike configuration uses a URI path that includes “Menus” (with a capital M) to indicate that the infected machine is running a 64-bit operating system, and to deliver the appropriate payload for that architecture.
COBALT STRIKE MALWARE WINDOWS 7
An excerpt from the sample Cobalt Strike configuration scriptīut it doesn’t appear that the Conti attackers have modified this sample script very much, which makes the C2 communication notable in two ways: The script designates certain characteristics used during this phase of the attack, including a User-Agent string (“ Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)“) that mimics that of a computer running Windows 7 but, distinctively, fails to identify the specific browser and a static URI path (“ /us/ky/louisville/312-s-fourth-st.html“) that includes the address of the infamous restaurant where the researcher discovered the bug in their shake. The profile serves as a sort of homage to an incident in which security researchers attending a conference found an insect in a milkshake at a restaurant outside the conference center. First, the malware appears to be using a sample Cobalt Strike configuration script named trevor.profile, published on a public Github archive. This C2 communication is distinctive for a number of reasons. The shellcode, XORed in the DLL, unfurls itself into the reserved memory space, then contacts a command-and-control server to retrieve the next stage of the attack. A portion of meterpreter shellcode, extracted from memory on an infected machine. The first stage of the Conti ransomware process involves a Cobalt Strike DLL, roughly 200kb in size, that allocates the memory space needed to decrypt and load meterpreter shellcode into system memory. The threat actors involved in attacks using Conti have built a complex set of custom tooling designed not only to obfuscate the malware itself, when it gets delivered, but conceal the internet locations from which the attackers have been downloading it during attacks, and prevent researchers from obtaining a copy of the malware that way as well. That isn’t to say there aren’t artifacts and components to look at.
COBALT STRIKE MALWARE SERIES
The ransomware, which calls itself Conti, is delivered at the end of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to push the malware directly into memory.īecause the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system, the attackers eliminate a critical Achilles’ heel that affects most other ransomware families: There is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study. Editor’s note: This is one of a series of articles focused on the Conti ransomware family, which include a detailed analysis of a Conti attack, A Conti Ransomware Attack Day-By-Day, and a guide for what IT administrators can expect when Conti ransomware hits.įor the past several months, both SophosLabs and the Sophos Rapid Response team have been collaborating on detection and behavioral analysis of a ransomware that emerged last year and has undergone rapid growth.
