Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

AnthonyQ · August 11

Hi,

I've noticed that many CobaltStrike backdoor samples seem to bypass ESET's detection. Below are VT links for some of the undetected samples:

Given the frequency of these misses, it's alarming. I hope ESET can consider enhancing signatures to address such threats more effectively.

I intended to report these via your email channel, but my recent submissions on 8/8/2023, 8/9/2023, and 8/10/2023 received no feedback. Additionally, most samples remain undetected. The tracking numbers for those reports are [TRACK#64D227BD0366], [TRACK#64D23E4702BF], [TRACK#64D3804602F5], [TRACK#64D3815403C1], [TRACK#64D3937F00B7], [TRACK#64D4261401BA], [TRACK#64D4BE8C01E0], [TRACK#64D4C1B6036B] and [TRACK#64D4C46301B9].

Due to the lack of response, I felt it necessary to highlight these samples here. I hope they are addressed swiftly.

Thank you.

itman · August 11

I just reanalyzed a handful of the samples at VT and still no Eset detection. Pretty bad when Grindinsoft can detect these now but not Eset.

AnthonyQ · August 12

8 hours ago, itman said:

I just reanalyzed a handful of the samples at VT and still no Eset detection. Pretty bad when Grindinsoft can detect these now but not Eset.

Still no detection... 🫠

AnthonyQ · August 12

Another CobaltStrike sample undetected: https://www.virustotal.com/gui/file/897a1331bc108b666776e3ea371553e1db0ccba8f27164fddd6e146645f5d287

itman · August 12

10 hours ago, AnthonyQ said:

Another CobaltStrike sample undetected: https://www.virustotal.com/gui/file/897a1331bc108b666776e3ea371553e1db0ccba8f27164fddd6e146645f5d287

It needs be noted that Eset sample detection at VT needs to be taken "with a grain of salt" as I have stated numerous times in this forum.

All Eset employs protection-wise at VT is static signature detection for the most part. The only way to fully known if the malware is not actually detected at some stage is to run it. Also if the malware is run in a local sandbox, VM, etc.., that doesn't prove anything since malware these days increasingly deploy anti-sandbox, VM, etc. evasion tactics. That is the malware won't perform any malicious activities.

Let's refer to a specific example using this prior posted sample: https://www.virustotal.com/gui/file/b3adf38a949bfa704da093f0a23aa8b50c59533c4a0166992264c1bc1c40a78c . It's behavior is shown below;

Note that Eset sets a deep behavior inspection hook; i.e. .dll, into cmd.exe. As such, it could have detected it trying to open the .docx file via Winword.

Edited August 12 by itman

IvanL_5306 · August 12

Android/FakeApp / ScamApp
All samples were discovered by Dr.Web. Submitted IOCs but ignored.😂
Looks like ESET doesn't even trust their competitor.🤔

itman · August 12

Since the issue is Cobalt Strike detection here, this article is how to mitigate those attacks: https://www.netsurion.com/catches/mitre-attack-guides-msp-cobalt-strike-threat-mitigation . The point to note is cmd.exe is deployed is some form in most of these attacks.

I for one monitor all cmd.exe execution; even those I manually initiate via explorer.exe. Most important is to pay attention to cmd.exe startup from a downloaded unknown and untrusted process. Better yet, monitor any process startup running from %Temp% directory and sub-directories.

itman · August 13

I just ran my own ad hoc test on how long it takes for Eset to create a signature for a Cobalt Strike beacon.

I found a Cobalt Strike sample that was uploaded to the malware sharing web site on 8/11. Verified on VT that Eset was not detecting the sample with a last analyzed time of 9 hours ago. I also noted that the sample had been previously uploaded to VT on 8/3.

Downloaded the sample and upon archive extraction, Eset real-time detected it;

Quote

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
8/13/2023 3:03:11 PM;Real-time file system protection;file;C:\Users\xxxxx\Downloads\30e835866395298b102bb0bc62ea0d2f8aa26bd06bb38a6dc4112beb4df2219f.exe;Win64/CobaltStrike.Agent.J trojan;cleaned by deleting;xxxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (DF22612647E9404A515D48EBAD490349685250DE).;D623C9BB721F0A30770ACD6F67053F6554185BA9;8/13/2023 3:02:56 PM

So sometime in the last 9 hours, Eset created a signature for this Cobalt Strike beacon. Confirmed when I reanalyzed it at VT.

From this test, one can expect a Cobalt Strike signature detection at around 10 days after submission to VT.😱

itman · August 13

Why Cobalt Strike beacon attacks are so difficult to detect:

Quote

The goal for any Cobalt Strike attack is the deployment of a post-exploitation payload, known as a “Beacon,'' onto a compromised endpoint. While some Cobalt Strike attacks can involve executables such as DLL files or libraries being installed on a targeted endpoint, most work by injecting malicious shellcode into legitimate processes. With Cobalt Strike payloads uniquely generated for specific victims and hidden within innocent processes and applications, antivirus solutions that rely on recognizable malicious signatures cannot see or stop them.

Because Cobalt Strike shellcode can move via the named pipes used for inter-process communication within Windows and Unix machines, malicious shellcode will remain invisible even when an antivirus or endpoint detection and response (EDR) solution uses a sandbox — unless it is configured to emulate named pipes (which is rare).

Although Cobalt Strike is a command and control (C2) framework, which means that attacks rely on attackers establishing communication with clients installed on targeted machines, analyzing network traffic is not a reliable way of finding and stopping Cobalt Strike Beacons.

The reason why is simple: the way in which Cobalt Strike conducts network egress is highly customizable and capable of mimicking traffic from legitimate applications. This feature of the Cobalt Strike platform called “Malleable C2” allows attackers to adapt command and control traffic (C2) to the kind of legitimate traffic that is likely to come from an uncompromised victim device. As a result, threat actors can configure Cobalt Strike to blend in with background noise, making traffic-based detection far more difficult. Critically, the stagers (programs that can be used to download sections of the Beacon payload) that Cobalt Strike uses to download the Beacon payload deploy mostly in device memory. Consequently, this stage of an attack is completely hidden from antivirus solutions that do not scan device memory.

https://blog.morphisec.com/how-to-stop-ransomware-breach-prevention-vs-cobalt-strike-backdoor

As noted, don't rely on a Cobalt Strike beacon signature for stopping future attacks using a modified version of the beacon. This also might explain why it takes so long for Eset to develop a "smart" signature for Cobalt Strike beacon.

Edited August 13 by itman

rotaru · August 13

On 8/11/2023 at 2:39 PM, itman said:

I just reanalyzed a handful of the samples at VT and still no Eset detection. Pretty bad when Grindinsoft can detect these now but not Eset.

I said it 100 time already: look at Microsoft Defender: free, 99.8% detection rate vs 99.2% and detecting these.....

itman · August 13

12 minutes ago, rotaru said:

I said it 100 time already: look at Microsoft Defender: free, 99.8% detection rate vs 99.2% and detecting these.....

MD didn't detect any of the Cobalt Strike samples originally posted in this thread at the time of their posting.

AnthonyQ · August 14

3 hours ago, itman said:

Why Cobalt Strike beacon attacks are so difficult to detect:

https://blog.morphisec.com/how-to-stop-ransomware-breach-prevention-vs-cobalt-strike-backdoor

As noted, don't rely on a Cobalt Strike beacon signature for stopping future attacks using a modified version of the beacon. This also might explain why it takes so long for Eset to develop a "smart" signature for Cobalt Strike beacon.

Creating a smart detection for these backdoor threats (mainly Trojan downloader) might be hard but blocking them in the LiveGrid is not so difficult.

rotaru · August 14

1 hour ago, itman said:

MD didn't detect any of the Cobalt Strike samples originally posted in this thread at the time of their posting.

Just checked this one , done 1 day ago:

https://www.virustotal.com/gui/file/db140710092bd084f35c5a0231d8a2a11132ff9ae110d44a61667e3c9120cdc5

No detection from ESET

Detection from Microsoft Defender

itman · August 14

22 hours ago, AnthonyQ said:

Creating a smart detection for these backdoor threats (mainly Trojan downloader) might be hard but blocking them in the LiveGrid is not so difficult.

If I recollect correctly, Eset at VT does not employ LiveGrid blacklisting.

The only way to know if Eset is currently blocking your posted samples via LiveGrid blacklist is to run them in a VM.

Edited August 14 by itman

itman · August 14

Today I found this Cobalt Strike sample that was close to a 0-day one that Eset detected;

https://www.joesandbox.com/analysis/1290695/0/html

https://www.virustotal.com/gui/file/f7d1d66f821a925c3765b17fda917f7a65621cf57b6289f0e4f7abbebd53aab8/details

The point to note in this instance was the beacon download code was embedded in a .vbs script run from a powershell script. Also, no one at VT detected this malware as Cobalt Strike and all the detections were for the NetSupport RAT vbs script code.

Edited August 14 by itman

AnthonyQ · August 15

9 hours ago, itman said:

If I recollect correctly, Eset at VT does not employ LiveGrid blacklisting.

The only way to know if Eset is currently blocking your posted samples via LiveGrid blacklist is to run them in a VM.

Currently, most of my posted threats are detected as WinGo/CobaltStrike.Beacon.xx or Win32/CobaltStrike.Beacon.xx.

But there are still many undetected CS backdoor trojans in the wild, e.g., https://www.virustotal.com/gui/file/e67a68056eb4299602cdeb9e52be77b6862d0f7a7ad21a651d520189963caab6; https://www.virustotal.com/gui/file/54fb06778a2ae9c92a2ee6cc2d0a36ed51d8ff85efbdfb05ba5e2dcc5d2c8c51; https://www.virustotal.com/gui/file/9254bb2f7b9ee19e6ca1110fd715dc3e8a9fb38e7a2ea43d43b0c5c1b9ff5f38; https://www.virustotal.com/gui/file/baee8be767db634c6d2d4de7de4739dce5b948dcd4dbfc5bd73dd3c9bf335467; https://www.virustotal.com/gui/file/ed34aa09630f7d4cf033e821322c6ccf9243757115c2587eb000e369d0e87d33. They are not particularly fresh but sadly both local scanner and LiveGrid cannot detect them.

itman · August 15

14 hours ago, AnthonyQ said:

Currently, most of my posted threats are detected as WinGo/CobaltStrike.Beacon.xx or Win32/CobaltStrike.Beacon.xx.

Actually, only half of them are being detected as Cobalt Strike with the rest detecting its delivery malware;

https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b - Win64/Agent.CTD

https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4 - A Variant Of Win64/GenKryptik.GMTF

https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93 - A Variant Of Generik.EEDJWGG

https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563 - A Variant Of Win64/TrojanDownloader.Age

https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c - Win64/TrojanDownloader.Agent.AGT

https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889 - A Variant Of Generik.EPVCRER

illustrating the difficultly in identifying the beacon code.

What I have observed is in many of these .exe samples the beacon code is encrypted. Decryption of this code might be occurring via named pipe convention as previously posted. In any case, Eset needs to improve is memory scanning capability in this regard.

Of note is Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO" which is later removed from the detection at VT. I suspect this is Kaspersky's "on-the-fly" signature creation at work which @SeriousHoax commented on in other forum threads. Perhaps its time Eset colaborate with Kaspersky in regards to how its able to detect these beacons.

Edited August 15 by itman

itman · August 15

What do Cobalt Strike beacons look like?

Here's one from a sample @AnthonyQ posted this morning using port 443;

Here's one from a Joe's Cloud sandbox analysis using port 80;

Quote

{
"BeaconType": [
    "HTTP"
],
"Port": 80,
"SleepTime": 60000,
"MaxGetSize": 1048576,
"Jitter": 0,
"C2Server": "23.227.203.229,/pixel",
"HttpPostUri": "/submit.php",
"Malleable_C2_Instructions": [],
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"HttpGet_Verb": "GET",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
"CryptoScheme": 0,
"Proxy_Behavior": "Use IE settings",
"Watermark": 1359593325,
"bStageCleanup": "False",
"bCFGCaution": "False",
"KillDate": 0,
"bProcInject_StartRWX": "True",
"bProcInject_UseRWX": "True",
"bProcInject_MinAllocSize": 0,
"ProcInject_PrependAppend_x86": "Empty",
"ProcInject_PrependAppend_x64": "Empty",
"ProcInject_Execute": [
    "CreateThread",
    "SetThreadContext",
    "CreateRemoteThread",
    "RtlCreateUserThread"
],
"ProcInject_AllocationMethod": "VirtualAllocEx",
"bUsesCookies": "True",
"HostHeader": ""
}

The common code between the two beacons;

Quote

"BeaconType":

"Port"

"C2Server"

"Spawnto_x86": "%windir%\\syswow64\\rundll32.exe"
"Spawnto_x64": "%windir%\\sysnative\\rundll32.exe"

"ProcInject_PrependAppend_x86":
"ProcInject_PrependAppend_x64":

I guess this is an identification start.

Edited August 15 by itman

AnthonyQ · August 16

9 hours ago, itman said:

Actually, only half of them are being detected as Cobalt Strike with the rest detecting its delivery malware;

https://www.virustotal.com/gui/file/491d734b97fa86463e610820720d797e1515c6967bda1aded9ac04f2ef33833b - Win64/Agent.CTD

https://www.virustotal.com/gui/file/3e804a884b14b64a09be6bcf1c9640df766f6b51f45ce12714bea49f97e344b4 - A Variant Of Win64/GenKryptik.GMTF

https://www.virustotal.com/gui/file/1c758859895cd24dccb9f17f8f82aedb4a4745d3fb57cad878d06ac62b843b93 - A Variant Of Generik.EEDJWGG

https://www.virustotal.com/gui/file/981cc9cf25eaef28d3d612ab1fabb88b815c6fb384b335b89863196ee9ff2563 - A Variant Of Win64/TrojanDownloader.Age

https://www.virustotal.com/gui/file/332e78f15424da53065cde5ea787466257ddf33e323012a99b3f00a5e7b4869c - Win64/TrojanDownloader.Agent.AGT

https://www.virustotal.com/gui/file/514994cca3303c06443d6cceeac914d3c93b74ab3925753536fd5c0665c7e889 - A Variant Of Generik.EPVCRER

illustrating the difficultly in identifying the beacon code.

What I have observed is in many of these .exe samples the beacon code is encrypted. Decryption of this code might be occurring via named pipe convention as previously posted. In any case, Eset needs to improve is memory scanning capability in this regard.

Of note is Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO" which is later removed from the detection at VT. I suspect this is Kaspersky's "on-the-fly" signature creation at work which @SeriousHoax commented on in other forum threads. Perhaps its time Eset colaborate with Kaspersky in regards to how its able to detect these beacons.

VHO might stand for Vishash Offline, which is a unique detection technique employed by Kaspersky. I believe there’s an official channel for ESET and Kaspersky to exchange IOCs, but sharing detection technology might be impossible.

Nightowl · August 16

18 hours ago, itman said:

Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO"

VHO and HEUR are the heuristic namings if I am not mistaken

You will find them on Checkpoint , ZoneAlarm , Bitdefender I think also , because those use the kaspersky engine.

itman · August 16

I have a pretty good idea as to Eset's lack of Cobalt Strike beacon detection. It's not that Eset can't detect them at first sight, it just won't do so.

I have had some DNS hijack incidents of late. To verify I did not not have some malware undetected by Eset, I downloaded and ran Kaspersky's Antivirus Tool (KVRT) and ran a full system scan including all internal hard drives. The only thing KVRT detected was 18 hack tools, POC's, etc. I have accumulated over the years used for testing purposes. Obviously, none of these had been detected by Eset.

Cobalt Strike per se is not malware. It is a legit penetration test tool widely used by computer security audit concerns; an expensive one at that:https://www.cobaltstrike.com/product/pricing-plans . The problem with it, as with other like software, is these products always seem to be acquired by hackers.

Eset will not detect hack tools per se. Only Eset can answer why but I suspect it has to do with false positive detection and Eset's aborence of such. If Cobalt Strike detection at first sight is a major concern, one would be better served using Kaspersky or a product that uses its engine which will detect hack tools.

Edited August 16 by itman

itman · August 17

Some Cobalt Strike beacon's appear to be totally "off the detection radar."

Such is the case of this beacon deployed by Play ransomware that has never been submitted to VT.

Courtesy of TrendMicro: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play

-EDIT- Also this beacon will run a .bat script which is atypical of many CS beacons; Eset_Beacon.png.7740f688f117c26faec6b792aa0e875f.png

Hence, why I monitor all cmd.exe execution.

Quote

SHA-256 Hash - c316627897a78558356662a6c64621ae25c3c3893f4b363a4b3f27086246038d
Detection name - Backdoor.Win32.COBEACON.YXCH3
Description - Cobalt Strike

Edited August 18 by itman

itman · August 18

Since I brought up Play ransomware, its latest supply chain attack method is most disturbing;

'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign

Quote

As with other attacks involving MSPs, the Play or PlayCrypt group breaks into MSP systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware group's attack on multiple MSP via vulnerabilities in Kaseya's Virtual System Administrator (VSA) network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs.

Kevin O'Connor, director of threat research at Adlumin, says his company's research shows the threat actors gain access to privileged management systems and RMM tools via a phishing campaign that targets employees at MSPs. "[This] leads to compromise of their systems and access either through direct exploitation or credential harvesting and reuse" he says.

https://www.darkreading.com/cloud/-play-ransomware-group-targeting-msps-worldwide-in-new-campaign

Bottom line - zero trust is a must - pun intended.

Edited August 18 by itman

itman · August 19

Since Eset won't detect Cobalt Strike beacons until Eset Lab analysis is done on them, I am posting a couple of articles on behavior detection of the beacons. The detection method doable via Eset HIPS capability which happens to be the most used method for deploying beacons is;

Quote

Proxy execution via RunDLL32 and Regsvr32 remains the most popular method for executing Cobalt Strike beacons. You can hunt for executions of the binaries from suspicious locations.

label="Process" label=Create "process" IN ["*\rundll32.exe", "*\regsvr32.exe"] command IN ["*C:\ProgramData\*", "*C:\Users\Public\*", "*C:\PerfLogs\*", "*\AppData\Local\Temp\*", "*\AppData\Roaming\Temp\*"]

https://www.logpoint.com/en/blog/how-to-detect-stealthy-cobalt-strike-activity-in-your-enterprise/

What you're looking for when the HIPS alert triggers if an ask rule is used is the following. However, I would make the HIPS rule/s a block one since there is no reason rundll32.exe or regsvc32.exe should be running from the above noted directories.

Quote

Process Activity.

rundll32.exe:

Used in Lateral Movement by Cobalt Strike beacons: rundll32.exe being spawned by another process(es) and its process execution included no arguments.

Detection Logic

Keep track and alert on unusual processes spawning rundll32.exe

Quote

Used in Post Exploitation in Cobalt strike related attacks: rundll32.exe spawning processes like Adfind.exe,* Net.exe, or any other Windows processes used for systems, services or network discovery.

Quote

Cobalt strike beacons often spoof processes like “word.exe”, or “excel.exe” to “explorer.exe” so that when the child process is launched the telemetry reported by the EDR agent makes the detection of unusual process chains difficult.

https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654

Note that Cobalt Strike pipes the rundll32.exe argument payload name making it "invisible" to AV solutions.

* Refer to prior posted TrendMicro Play Ransomware attack analysis on the use of Adfind.exe.

Edited August 19 by itman

itman · August 20

Another important point about Cobalt Strike is the ability to deploy an AMSI bypass;

Quote

The amsi_disable option directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities.

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_controll-post-exploitation.htm

Also and important is Eset's HIPS recommended anti-ransomware rules to prevent script startup from rundll32.exe won't work since that rule is only monitoring child process creation from its default Windows directory locations.

Edited August 20 by itman

Sign In

Concerns Over Undetected CobaltStrike Samples and Unaddressed Submissions

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members

Quick search

FAQ

Topics