hunt.io Open in urlscan Pro
35.71.142.77  Public Scan

Form analysis
0 forms found in the DOM

Text Content

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky
Infrastructure

Read Now


Threat Hunting Platform - Hunt.io

Home

Product



Features



Resources



About

Login

Book Your Free Demo



Home



Blog



Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious
Activity


RARE WATERMARK LINKS COBALT STRIKE 4.10 TEAM SERVERS TO ONGOING SUSPICIOUS
ACTIVITY

Published on

Dec 3, 2024


TABLE OF CONTENTS
A New Version & Watermark 688983459Infrastructure AnalysisDownloading BeaconsOne
More Thing: A Curious Cluster with Watermark 1ConclusionWatermark 1 Cluster

Hunt researchers recently uncovered a cluster of suspicious infrastructure using
Cobalt Strike's latest version, 4.10, released in July 2024. Despite efforts to
disrupt unauthorized use, malicious actors continue to exploit the tool's
post-exploitation features for nefarious purposes. According to our scan data,
these servers are highlighted by a unique watermark shared by only five other
IPs across the internet. 

Notably, the domains associated with the team servers (which first showed in our
scans on 19 November) impersonate well-known brands, suggesting a targeted
approach to deceive users, possibly through phishing. This post presents our
analysis, including detailed examinations of the IP addresses, domains, and
beacon configurations involved.


A NEW VERSION & WATERMARK 688983459

Cobalt Strike 4.10 introduced several enhancements to improve cybersecurity
practitioners' efficiency. These updates offer improved flexibility, greater
control, and improved evasion techniques, which, while intended for legitimate
security testing, can also be leveraged by malicious actors.

Below are three of the most impactful (in our opinion) features introduced:

 * BeaconGate: Enables operators to route Beacon's Windows API calls through a
   customizable interface, enhancing evasion strategies.
 * Postex Kit: Provides a comprehensive set of post-exploitation tools designed
   to enhance system interaction after initial access.
 * Sleepmask-VS: Introduces an updated sleep masking mechanism that hides
   Beacon's activity during idle periods, reducing detection risks.


WATERMARKS EXPLAINED

In Cobalt Strike, a watermark is a unique identifier embedded within the
software, and its payloads are linked to a specific license/customer. While
watermarks assist in linking activity to specific operators when seen across
different instances, their effectiveness is limited due to the ease of spoofing
and the widespread availability of leaked or pirated versions.

Low-prevalence watermarks may indicate activity not widely recognized by
defenders, such as emerging malicious campaigns. Conversely, red team exercises
may be more apt to keep default values, which could also result in rarely seen
watermarks.

Watermark 688983459 was identified during our research into Cobalt Strike team
servers. This identifier, only seen by our scanners across 7 other IP addresses,
seemed like a worthy candidate to dive into and analyze further. This discovery
led us to infrastructure using the latest version of Cobalt Strike as well as
domains and configuration patterns, which we will discuss below.


INFRASTRUCTURE ANALYSIS

Beyond the shared watermark, the servers exhibit additional commonalities. All
team servers are hosted in the United States within Amazon's network
infrastructure, except for one utilizing Microsoft's services. 

Additionally, the cluster shares network port configurations, specifically using
port 80 for the Cobalt Strike team server. We'll quickly cover the beacon
configuration, which can be viewed by clicking on the "i" button next to any
detected team server in Hunt. 

Figure 1: Screenshot showing the "i" button which allows users to quickly view
beacon configurations without downloading them in Hunt.

Similarities between IP addresses, such as shared SSH keys, IoCs from reports,
certificates, config, and redirects, are all available to quickly pivot on under
the "Associations" tab in Hunt. 

We found servers sharing the same config by drilling down into the
aforementioned tab, uncovering six additional IPs, as seen in Figure 2 below. 

Figure 2: Associations tab showing six additional IP addresses sharing the same
watermark (Hunt).

Another data point that assists in clustering suspicious infrastructure is the
public key, which is also embedded within the beacon configuration. In our
research, dd25ce57906d453385b35daaed5433a6901ca3cb071245c90b1d2781f6078769, was
shared across all 7 servers. Below are some of the more interesting config
fields starting with IP address 44.203.181[.]185.

 * endpoint: http://downloads.yourcoupons[.]net/jquery-3.3.1.min.js 
 * SETTING_USERAGENT : Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like
   Gecko
 * SETTING_SUBMITURI : /jquery-3.3.2.min.js

Figure 3 below displays an example config from our first server.

Figure 3: Example beacon configuration including endpoints, user-agent, and
submituri fields in Hunt.

So as not to bore you with multiple repetitive screenshots, we'll list the
remaining IP addresses in the table below.

IP AddressASNResolving DomainDomain in ConfigFirst Seen34.238.135[.]169Amazon
Technologies Inc.api.toptechmanagementgroup[.]com
downloads.toptechmanagementgroup[.]comdownloads.toptechmanagementgroup[.]com2024-11-2652.91.17[.]36Amazon
Technologies Inc.N/Adownloads.abyanfinancial[.]com2024-11-2552.205.213[.]5Amazon
Technologies Inc.downloads.uscga[.]coSame2024-11-2574.235.246[.]236Microsoft
Corporationpublic.open-dns[.]ukSame2024-11-19184.72.118[.]160Amazon Data
Services NoVaN/Adownloads.my-icecream[.]com2024-11-25184.73.81[.]49Amazon Data
Services
NoVadev-monitor.upsideapp[.]comdownloads.helpsdeskmicrosoft[.]com2024-11-25

After reviewing the domains in the table above, it's pretty clear this cluster
of infrastructure is geared towards brand impersonation. Domain names like
downloads.helpsdeskmicrosoft[.]com and public.open-dns[.]uk mimic legitimate
organizations, likely aiming to blend in with network traffic.

Others, such as downloads.uscga[.]co and downloads.abyanfinancial[.]com, suggest
possible targeting of specific sectors or entities.

During our research into this group of IPs, we could not identify any recent TLS
certificates associated with the servers, indicating the infrastructure may
still be in the early stages of development, or the operators are purposefully
not using certificates to evade further scrutinization.


DOWNLOADING BEACONS

We were able to extract a handful of payloads from the above team servers, which
offered a chance for further analysis. Analyzing these beacons allows security
professionals to develop detection signatures, understand operator TTPs, and
possibly identify additional infrastructure previously unknown.

While a detailed examination of the payloads is beyond the scope of this post,
we are sharing the SHA-256 hashes below and encourage the community to dig into
these samples and analyze any shellcode or malicious artifacts.

Reminder: It's not uncommon for red teamers or malicious network operators to
serve benign files in an attempt to protect the Team Server.

Team ServerSHA-256File
Size52.205.213[.]5ae352f86b470dfa999f3d50394876209d19bc06af2e246758f150f55eaa2a787273.09
KB44.203.181[.]185d884ccc9aa3b1d1a018d7cb4a1d80da7142e934178ef0fc6faff7b1f1f7fa6c1273.09
kB34.238135[.]169889e4f388ac6fd9d5f1025ed32276eb0fef2717c8d387fb82d5a8438bbe6025e273.07
KB184.73.81[.]49a2ed422d92f5963468c9e3c615754dc7e31acd51b7372386d7694747bc2d9897273.08
KB184.72.118[.]160e2a82f971d011675ad387beb2ef943824b2e62e3aab5f9ef79516c11693a6636273.07
KB


ONE MORE THING: A CURIOUS CLUSTER WITH WATERMARK 1

Before wrapping up this post, we wanted to briefly highlight another small
cluster of team servers we observed using a watermark of 1. This value has
typically been associated with cracked or leaked versions of Cobalt Strike.

In 2020, Amnesty International reported that the FinSpy spyware targeting macOS
and Linux systems employed the same watermark. We see no links between this case
and FinSpy, however adding historical context can assist in highlighting the
/potential significance of findings.

Given that this group of servers varies greatly by version and other factors,
we'll quickly detail some of the more interesting servers, and provide the rest
at the end of this post..

IP Address: 113.250.188[.]15

 * ASN: Chongqing Telecom
 * Cobalt Strike Version: 4.3
 * endpoints: 113.250.188[.]15/en_US/all.js
 * User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
   InfoPath.1)
 * PUBKEY: 2be79284671f4a3d7aa1158731c3ac3e499bfb1ca637e237e04acdd91a3e67c4

IP Address: 36.137.91[.]198

 * ASN: China Mobile Communications Group Co., Ltd.
 * Cobalt Strike Version: 4.2
 * endpoints: http://36.137.91[.]198:18443/cx
 * User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64;
   Trident/6.0; MATMJS)
 * PUBKEY: 713cb0954ca69d973628c711744046d0b9dc7f6036175184389b31bd8ddbd7e3

IP Address: 85.208.110[.]57

 * ASN: STARK INDUSTRIES SOLUTIONS LTD
 * Cobalt Strike Version: 4.2
 * Endpoints:
   https://www.googleadservices[.]org:63221/pagead/conversion/16521530460 
 * User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
   like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7aa.
 * PUBKEY: 02a621ddce14572cb2ded37edc76ce3d93cf78b46feec2d318bb1c4afaf609da
 * TLS Certificate: CloudFlare SHA-256 Fingerprint:
   8860015325A7DFA7DE7BBC6CE0C4600B3109577836E3F0116F223AB5F7A85490


CONCLUSION

Our threat hunting efforts led us to infrastructure leveraging the latest
version of Cobalt Strike, all connected by the unique watermark 688983459.
Utilizing the associations tab in Hunt, we quickly identified similar IPs, and
additional analysis of similar ports, and domains impersonating well-known
brands, points to a coordinated operation defenders should be on the lookout
for.

We also discovered a separate group of servers using the watermark 1,
historically associated with known malicious activity. While the intent behind
this cluster remains unclear-whether it represents legitimate red team exercises
or actions by malicious actors-it underscores the importance of vigilance.
Monitoring both commonly used and rare watermarks is essential for detecting and
mitigating threats in all their forms.


WATERMARK 1 CLUSTER

IP Address ASNDomain(s)Miscellaneous47.120.38[.]194Hangzhou Alibaba Advertising
Co.,Ltd.mggbest[.]topCobalt Strike 4.291.196.70[.]155EstNOC OYN/A"Microsoft" TLS
Certificate
SHA-256:
8A172E2F0CA849799E0B25CD0EB89D32020EECF30599D951C4E8ECB826DDD5DA83.229.127[.]233LUCIDACLOUD
LIMITEDN/ACobalt Strike 4.2124.222.201[.]108Shenzhen Tencent Computer Systems
Company LimitedN/ACobalt Strike 4.2139.196.126[.]3Hangzhou Alibaba Advertising
Co.,Ltd.N/ACobalt Strike 4.2


RELATED POSTS:

Oct 10, 2024

UNMASKING ADVERSARY INFRASTRUCTURE: HOW CERTIFICATES AND REDIRECTS EXPOSED EARTH
BAXIA AND PLUGX ACTIVITY

Learn how basic tracking techniques using unusual certificates and redirects
helped uncover Earth Baxia and a hidden cyber threat, providing practical
insights for network defense.

May 21, 2024

UNEARTHING NEW INFRASTRUCTURE BY REVISITING PAST THREAT REPORTS

Suppose you know David Bianco’s “Pyramid of Pain” model. In that case, you know
that IP addresses are among the lower indicators of compromise due to their
short lifespan and ease of change to legitimate purposes.

Apr 16, 2024

IN PLAIN SIGHT: UNCOVERING SUPERSHELL & COBALT STRIKE FROM AN OPEN DIRECTORY

Hunt scans every corner of the public IPV4 space and constantly scours the
Internet for open directories. Through...

Ready to get started?

We can help you unravel networks of threat actor infrastructure blending into
hosting providers.

Get a Free Demo Today


Threat Hunting Platform - Hunt.io

Threat Hunting Platform - Hunt.io



Products

Web Interface

Feeds

Enrichment API

Features

AttackCapture™

HuntSQL™

New

C2 Detection

IOC Hunter

Phishing Infrastructure

Resources

Change Log

Terms & Conditions

Privacy Policy

Support Docs

Latest News

“Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky
Infrastructure

Dec 10, 2024

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android
Devices

Dec 5, 2024

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious
Activity

Dec 3, 2024

©2024

Hunt Intelligence, Inc.