Also, this sample has been submitted to VirusTotal shortly after the reported timestamps of creation the ISO filesystems. The original ISO filesystem contains timestamps with information about the timezone: UTC-07:00 (Pacific Daylight Time). Probabably someone was already/again investigating the attack. And then, it has been submitted again on 9th April. This sample was been submitted for analysis from Slovakia. Somebody submitted the sample called AktualizC!ciu.img to the sandbox Any.Run on 23rd March 2021. Therefore it is kind of more interesting malware than relatively common backdoors, rats and Metasploit and other publicly accessible free samples. “Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network”. It is a commercial tool with price $3,500 per user for one year and it is used by many pentesters and red teamers as well as by some of the advanced threat actors such as APT19, APT29, APT32, Leviathan, Cobalt Group and FIN6.
Cobalt StrikeĪs described on the Cobalt Strike’s website, Cobalt Strike is “software for Adversary Simulations and Red Team Operations”. Some of them had direct relations to targets in Slovak republic. Our threat intelligence and malware research revealed several command and controls servers around the globe. Threat actor used mostly Cobalt Strike and phishing emails and documents on behalf of Slovak National Security Authority. We found that this campaign has been active at least since February 2021 and some C&C servers were still active in June 2021. In March 2021 our researchers discovered APT campaign targeting Slovakia.
0 kommentar(er)
