CINXE.COM

<!doctype html><html class="no-js" lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="author" content="Assaf Dahan"> <meta name="description" content="Reviewing the lifecycle of Operation Cobalt Kitty, an APT carried out by the OceanLotus Group, covering every stage from the initial infiltration to data exfiltration."> <meta name="generator" content="HubSpot"> <title>Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group</title> <link rel="shortcut icon" href="https://www.cybereason.com/hubfs/cr-favicon-1.png"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="Reviewing the lifecycle of Operation Cobalt Kitty, an APT carried out by the OceanLotus Group, covering every stage from the initial infiltration to data exfiltration."> <meta property="og:title" content="Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group"> <meta name="twitter:description" content="Reviewing the lifecycle of Operation Cobalt Kitty, an APT carried out by the OceanLotus Group, covering every stage from the initial infiltration to data exfiltration."> <meta name="twitter:title" content="Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386203/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443237/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042214535/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/1669911113479/module_86933076631_CR_-_Sticky_CTA_Bar.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/34473990280/1704383554067/module_34473990280_CR_-_Footer_Full__en_US.min.css">  <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TJVVB7C'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script>  <script src="https://use.typekit.net/vyv2ljd.js"></script> <script>try{Typekit.load({ async: false });}catch(e){}</script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <link rel="preload" href="/hubfs/__dam/fonts/ionicons.eot" as="font" type="font/otf" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Medium.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/peristyle/Peristyle-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="amphtml" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt?hs_amp=true"> <meta property="og:image" content="https://www.cybereason.com/hubfs/Blog%20Images%20-%20Labs/Untitled-design-52.png"> <meta property="og:image:width" content="1024"> <meta property="og:image:height" content="391"> <meta name="twitter:image" content="https://www.cybereason.com/hubfs/Blog%20Images%20-%20Labs/Untitled-design-52.png"> <meta property="og:url" content="https://www.cybereason.com/blog/operation-cobalt-kitty-apt"> <meta name="twitter:card" content="summary_large_image"> <link rel="canonical" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.cybereason.com/blog/rss.xml"> <meta name="twitter:domain" content="www.cybereason.com"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en"> <link rel="stylesheet" href="//7052064.fs1.hubspotusercontent-na1.net/hub/7052064/hub_generated/template_assets/1732641019974/hubspot/hubspot_default/shared/responsive/layout.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470223313/1696396395659/__CR_Web_Platform/CSS/cr-master__cta.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470477360/1710134689941/__CR_Web_Platform/CSS/cr-master__main.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35275979682/1642096258129/__CR_Web_Platform/CSS/ionicons.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42760289143/1724041950600/__CR_Web_Platform/CSS/cr-mln__build.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470224480/1635957556830/__CR_Web_Platform/CSS/bulma/cr-framework__bulma-columns.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35291999472/1696396871390/__CR_Web_Platform/CSS/bulma/cr-framework__bulma.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42363645447/1635957556555/__CR_Web_Platform/CSS/hamburger-animation.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507091846/1635957557027/__CR_Web_Platform/CSS/animate.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" rel="stylesheet"> <script src="/hubfs/dam/plugins/marker-animation.js"></script> <script> $(document).ready(function() { $('.highlight').markerAnimation({ "color":'var(--cr-yellow)', "font_weight":'normal', "background-size": '200% 1.2em' }); }); </script> </head> <body class=" hs-content-id-5283765824 hs-blog-post hs-blog-id-5272851739" style="">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TJVVB7C" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="header-container-wrapper"> <div class="header-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433790649568" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section id="cr-malicious-life-network__tier-one-header" class="position-flex"> <div class="#"> <div id="logo"><a href="https://www.cybereason.com"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-black.png"></a></div> <div id="back-to"> <a href="https://www.cybereason.com">Back to <span>Cybereason.com</span></a> </div>  <button class="hamburger hamburger--collapse" type="button"> <span class="hamburger-box"> <span class="hamburger-inner"></span> </span> </button> <div class="cr-mln__hamburger-menu--overlay"> <ul> <li><a href="https://www.cybereason.com/blog/all"><span class="underline">All Posts</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> <div class="subscribe"> <a href="#blog-subscribe">Subscribe</a> </div> </div>  </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget mln-homepage" style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433785464566" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section class="cr-malicious-life-network__hero-main base"> <div class="container-is-blog columns hero-content page-center"> <div class="column is-5-fullhd is-5-desktop is-12-touch"> <a href="/blog"><img class="cr-mln-logo" src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-malicious-life-logo-v2.png"></a> </div> <div class="column is-7-fullhd is-7-desktop is-hidden-mobile is-hidden-tablet-only"> <div class="cr-mln__search-subscribe"> <div class="cr-mln__search"> <a href="#cr-search-modal" class="search-btn"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/cr-blog-icon--search-dark-gray.png" alt="Search"></a> </div> <div class="cr-mln__subscribe"> <a class="btn-subscribe" href="#blog-subscribe">Subscribe</a> </div> </div> <div class="cr-mln__category-nav"> <ul> <li><a href="/blog/category/all"><span class="underline">All</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> </div> </div> </div>  <div class="container-is-blog columns is-gapless is-hidden-desktop cr-mln__search-subscribe--mobile"> <div class="column"> <a class="search-btn">Search</a> </div> <div class="column"> <a class="#" href="#blog-subscribe">Subscribe</a> </div> </div>   <div id="cr-search-modal">  <div id="btn-close-modal" class="close-cr-search-modal"> X </div> <div class="modal-content"> <div class="container columns"> <div class="column"> <div class="cr-search-modal__search-bar"> <h3>Search</h3> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search..."> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> </div> </div> </div> </div>  </section></div> </div> </div> </div> </div> </div> <div class="body-container-wrapper"> <div class="body-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12"> <div class="cr-mln__blog-post"> <div class="container-is-blog columns is-multiline page-center"> <div class="column is-8-fullhd is-8-desktop is-offset-2-fullhd is-offset-2-desktop is-10-tablet is-offset-1-tablet"> <div class="featured-image"><img src="https://www.cybereason.com/hubfs/Blog%20Images%20-%20Labs/Untitled-design-52.png" alt=""></div> <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group</span></h1> <div class="cr-mln__post-author-share"> <div id="hubspot-author_data" class="hubspot-editable cr-mln__post-meta" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author"> <span class="descriptor">Written By</span> <p><span class="author">Assaf Dahan</span></p> </div> </div> </div>   <div class="container-is-blog columns is-multiline page-center cr-mln__blog-post--body"> <div class="column is-7-fullhd is-7-desktop is-10-tablet is-10-mobile is-offset-1-fullhd is-offset-1-desktop is-offset-1-tablet is-offset-1-mobile"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>Dubbed Operation Cobalt Kitty, the <a href="https://www.cybereason.com/blog/advanced-persistent-threat-apt" target="_blank" rel="noopener">APT</a> targeted a global corporation based in Asia with the goal of stealing proprietary business information. The threat actor targeted the company’s top-level management by using spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments. During Operation Cobalt Kitty, the attackers compromised more than 40 PCs and servers, including the domain controller, file servers, Web application server and database server.</p> <p>Want to hear about another high-impact operation? <span class="hs-cta-wrapper" id="hs-cta-wrapper-5d884927-a051-4ae7-b129-94438da0638b"><span class="hs-cta-node hs-cta-5d884927-a051-4ae7-b129-94438da0638b" id="hs-cta-5d884927-a051-4ae7-b129-94438da0638b"><a href="https://cta-redirect.hubspot.com/cta/redirect/3354902/5d884927-a051-4ae7-b129-94438da0638b" target="_blank" rel="noopener"><img class="hs-cta-img" id="hs-cta-img-5d884927-a051-4ae7-b129-94438da0638b" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/3354902/5d884927-a051-4ae7-b129-94438da0638b.png" alt="Sign up for the Operation Soft Cell webinar"></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(3354902, '5d884927-a051-4ae7-b129-94438da0638b', {"useNewLoader":"true","region":"na1"}); </script></span></p>  <h2 style="font-weight: bold;">OPERATION COBALT</h2> <p>Forensic artifacts revealed that the attackers persisted on the network for at least a year before Cybereason was deployed. The adversary proved very adaptive and responded to company’s security measures by periodically changing tools, techniques and procedures (TTPs), allowing them to persist on the network for such an extensive period of time. Over 80 payloads and numerous domains were observed in this operation - all of which were undetected by traditional security products deployed in the company’s environment at the time of the attack.</p> <p>The attackers arsenal consisted of modified publicly-available tools as well as six undocumented custom-built tools, which Cybereason considers the threat actor’s signature tools. Among these tools are two backdoors that exploited DLL sideloading attack in Microsoft, Google and Kaspersky applications. In addition, they developed a novel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data exfiltration.</p> <p>Based on the tools, modus operandi and IOCs (indicators of compromise) observed in Operation Cobalt Kitty,  Cybereason attributes this large-scale cyber espionage APT to the “<a href="https://ti.360.com/upload/report/file/OceanLotusReport.pdf">OceanLotus Group</a>” (which is also known as, <a href="http://zhuiri.360.cn/report/index.php/2015/05/29/482/?lang=en" target="_blank" rel="noopener noreferrer">APT-C-00</a>, SeaLotus and <a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" rel="noopener noreferrer">APT32</a>). For detailed information tying Operation Cobalt Kitty to the OceanLotus Group, please see our Attacker’s Arsenal and Threat Actor Profile sections.</p> <p>Cybereason also attributes the recently reported <a href="https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" target="_blank" rel="noopener noreferrer">Backdoor.Win32.Denis</a> to the OceanLotus Group, which at the time of this report’s writing, had not been officially linked to this threat actor.</p> <p>Finally, this report offers a rare glimpse into what a cyber espionage APT looks like "under-the-hood". Cybereason was able to monitor and detect the entire attack lifecycle, from infiltration to exfiltration and all the steps in between.</p> <p>Our report contains the following detailed sections (PDF):</p> <ul> <li><a href="/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf" rel="nofollow noopener" target="_blank">Cobalt Kitty Lifecycle: A step-by-step analysis</a></li> <li><a href="/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part2.pdf" rel="nofollow noopener" target="_blank">Cobalt Kitty Attacker’s Arsenal: Deep dive into the tools used in the APT</a></li> <li><a href="/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part3.pdf" rel="nofollow noopener" target="_blank">Cobalt Kitty Threat Actor Profile and Indicators of Compromise</a></li> </ul> <h3>High-level attack outline:  A cat-and-mouse game in four acts</h3> <p>The following sections outline the four phases of the attack as observed by Cybereason’s analysts, who were called to investigate the environment after the company’s IT department suspected that their network was breached but could not trace the source.</p> <h3 style="font-weight: bold;">Phase one: Fileless operation (PowerShell and Cobalt Strike payloads)</h3> <p>Based on the forensic evidence collected from the environment, phase one was the continuation of the original attack that began about a year before Cybereason was deployed in the environment. During that phase, the threat actor operated a <a href="https://www.cybereason.com/blog/fileless-malware" target="_blank" rel="noopener">fileless</a> PowerShell-based infrastructure, using customized PowerShell payloads taken from known offensive frameworks such as <a href="https://www.cobaltstrike.com/help-smb-beacon" target="_blank" rel="noopener noreferrer">Cobalt Strike</a>, <a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" rel="noopener noreferrer">PowerSploit</a> and <a href="https://github.com/samratashok/nishang" target="_blank" rel="noopener noreferrer">Nishang</a>.</p> <p>The initial penetration vector was carried out by social engineering. Carefully selected group of employees received spear-phishing emails, containing either links to malicious sites or weaponized Word documents. These documents contained malicious macros that created persistence on the compromised machine using two scheduled tasks, whose purpose was to download secondary payloads (mainly Cobalt Strike Beacon):</p> <p><strong>Scheduled task 1:</strong> Downloads a COM scriptlet that redirects to Cobalt Strike payload:</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/cmdline.png"><img class="alignnone size-full wp-image-9265" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=595&name=cmdline.png" alt="cmdline.png" width="595" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/cmdline.png" title="cmdline.png" caption="false" data-constrained="true" style="width: 595px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=298&name=cmdline.png 298w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=595&name=cmdline.png 595w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=893&name=cmdline.png 893w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=1190&name=cmdline.png 1190w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=1488&name=cmdline.png 1488w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/cmdline.png?width=1785&name=cmdline.png 1785w" sizes="(max-width: 595px) 100vw, 595px"></a></p> <p><strong><strong>Scheduled task 2:</strong></strong> Uses Javascript to download a Cobalt Strike Beacon:</p> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/schedukedtask2-1.png"><img class="alignnone wp-image-9266" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=551&height=134&name=schedukedtask2-1.png" alt="" width="551" height="134" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=276&height=67&name=schedukedtask2-1.png 276w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=551&height=134&name=schedukedtask2-1.png 551w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=827&height=201&name=schedukedtask2-1.png 827w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=1102&height=268&name=schedukedtask2-1.png 1102w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=1378&height=335&name=schedukedtask2-1.png 1378w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/schedukedtask2-1.png?width=1653&height=402&name=schedukedtask2-1.png 1653w" sizes="(max-width: 551px) 100vw, 551px"></a></p> <p>See more detailed analysis of the malicious documents in our Attack Life Cycle section.</p> <h3 dir="ltr" style="font-weight: bold;">Fileless payload delivery infrastructure</h3> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/compromisedmachine.png"><img class="alignnone wp-image-9271" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=802&name=compromisedmachine.png" alt="compromisedmachine.png" width="802" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/compromisedmachine.png" title="compromisedmachine.png" caption="false" data-constrained="true" style="width: 802px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=401&name=compromisedmachine.png 401w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=802&name=compromisedmachine.png 802w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=1203&name=compromisedmachine.png 1203w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=1604&name=compromisedmachine.png 1604w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=2005&name=compromisedmachine.png 2005w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/compromisedmachine.png?width=2406&name=compromisedmachine.png 2406w" sizes="(max-width: 802px) 100vw, 802px"></a></p> <p dir="ltr">In the first phase of the attack, the attackers used a fileless in-memory payload delivery infrastructure consisting of the following components:</p> <ol> <li><strong> VBS and PowerShell-based loaders</strong></li> </ol> <p>The attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData (a hidden folder, by default). The attackers created persistence using Windows’ registry, services and scheduled tasks. This persistence mechanism ensured that the loader scripts would execute either at startup or at predetermined intervals.</p> <p>Values found in Windows’ Registry: the VBS scripts are executed by Windows’ Wscript at startup:</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/wscript.png"><img class="alignnone wp-image-9272" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=869&name=wscript.png" alt="wscript.png" width="869" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/wscript.png" title="wscript.png" caption="false" data-constrained="true" style="width: 869px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=435&name=wscript.png 435w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=869&name=wscript.png 869w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=1304&name=wscript.png 1304w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=1738&name=wscript.png 1738w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=2173&name=wscript.png 2173w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/wscript.png?width=2607&name=wscript.png 2607w" sizes="(max-width: 869px) 100vw, 869px"></a></p> <p>The .vbs scripts as well as the .txt files contain the loader’s script, which launches PowerShell with a base64 encoded command, which either loads another PowerShell script (e.g Cobalt Strike Beacon) or fetches a payload from the command-and-control (C&C) server:</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/hiddenwindow.png"><img class="alignnone size-full wp-image-9274" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=803&name=hiddenwindow.png" alt="hiddenwindow.png" width="803" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/hiddenwindow.png" title="hiddenwindow.png" caption="false" data-constrained="true" style="width: 803px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=402&name=hiddenwindow.png 402w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=803&name=hiddenwindow.png 803w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=1205&name=hiddenwindow.png 1205w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=1606&name=hiddenwindow.png 1606w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=2008&name=hiddenwindow.png 2008w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/hiddenwindow.png?width=2409&name=hiddenwindow.png 2409w" sizes="(max-width: 803px) 100vw, 803px"></a></p> <ol start="2"> <li><strong>In-memory fileless payloads from C&C servers</strong></li> </ol> <p>The payloads served by the C&C servers are mostly PowerShell scripts with embedded base64-encoded payloads (Metasploit and Cobalt Strike payloads):</p> <p><strong>Example 1:  PowerShell payload with embedded Shellcode downloading Cobalt Strike Beacon</strong></p> <p><a href="https://www.cybereason.com"><img class="alignnone wp-image-9276" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=837&height=237&name=newojectio-1.png" alt="" width="837" height="237" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=419&height=119&name=newojectio-1.png 419w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=837&height=237&name=newojectio-1.png 837w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=1256&height=356&name=newojectio-1.png 1256w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=1674&height=474&name=newojectio-1.png 1674w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=2093&height=593&name=newojectio-1.png 2093w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/newojectio-1.png?width=2511&height=711&name=newojectio-1.png 2511w" sizes="(max-width: 837px) 100vw, 837px"></a></p> <p>The decoded payload is a shellcode, whose purpose is to retrieve a Cobalt Strike Beacon from the C&C server:</p> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/push-1.png"><img class="alignnone wp-image-9275" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=584&height=426&name=push-1.png" alt="" width="584" height="426" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=292&height=213&name=push-1.png 292w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=584&height=426&name=push-1.png 584w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=876&height=639&name=push-1.png 876w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=1168&height=852&name=push-1.png 1168w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=1460&height=1065&name=push-1.png 1460w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/push-1.png?width=1752&height=1278&name=push-1.png 1752w" sizes="(max-width: 584px) 100vw, 584px"></a></p> <p><strong>Example 2: Cobalt Strike Beacon embedded in obfuscated PowerShell</strong></p> <p>A second type of an obfuscated PowerShell payload consisted of Cobalt Strike’s Beacon payload:</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/doit.png"><img class="alignnone wp-image-9273" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=646&name=doit.png" alt="doit.png" width="646" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/doit.png" title="doit.png" caption="false" data-constrained="true" style="width: 646px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=323&name=doit.png 323w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=646&name=doit.png 646w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=969&name=doit.png 969w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=1292&name=doit.png 1292w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=1615&name=doit.png 1615w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/doit.png?width=1938&name=doit.png 1938w" sizes="(max-width: 646px) 100vw, 646px"></a></p> <p><strong>Less than 48 hours after Cybereason alerted the company about the breach</strong>, the attackers started to change their approach and almost completely abandoned the PowerShell infrastructure that they had been using - replacing it with sophisticated custom-built backdoors. The attackers’ remarkable ability to quickly adapt demonstrated their skill and familiarity with and command of the company’s network and its operations.</p> <p>The attackers most likely replaced the PowerShell infrastructure after the company used both Windows Group Policy Object (GPO) and Cybereason’s execution prevention feature to prevent PowerShell execution.</p> <h3 style="font-weight: bold;">Phase two: Backdoors exploiting DLL-hijacking and using DNS tunneling</h3> <p>After realizing that the PowerShell infrastructure had been discovered, the attackers had to quickly replace it to maintain persistence and continue the operation. Replacing this infrastructure in 48 hours suggests that the threat actors were prepared for such a scenario.</p> <p>During the second phase of the attack, <strong>the attackers introduced two sophisticated backdoors that they attempted to deploy on selected targets. </strong>The introduction of the backdoors is a key turning point in the investigation since it demonstrated the threat actor’s resourcefulness and skill-set.</p> <p><strong>At the time of the attack, these backdoors were undetected and undocumented</strong> by any security vendor. Recently, Kaspersky researchers identified a variant of one of the backdoors as <a href="https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/" target="_blank" rel="noopener noreferrer">Backdoor.Win32.Denis</a>. The attackers had to make sure that they remained undetected so the backdoors were designed to be as stealthy as possible. To avoid being discovered, the malware authors used these techniques:</p> <p><strong>Backdoors exploiting DLL hijacking against trusted applications</strong></p> <p>The backdoor exploited a vulnerability called “<a href="http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/" target="_blank" rel="noopener noreferrer"><strong>DLL hijacking</strong></a>” in order to “hide” the malware inside trusted software. This technique exploits a security vulnerability found in legitimate software, which allows the attackers to load a fake DLL and execute its malicious code.</p> <p>Please see an analysis of the backdoors in the Attacker’s Arsenal section.</p> <p>The attackers exploited this vulnerability against the following trusted applications:</p> <ul> <li><strong>Windows Search (vulnerable applications: </strong>searchindexer.exe /searchprotoclhost.exe) <ul> <li><strong>Fake DLL:</strong> msfte.dll (638b7b0536217c8923e856f4138d9caff7eb309d)</li> </ul> </li> </ul> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/dnstunneling1-1.png"><img class="alignnone wp-image-9282" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=374&height=446&name=dnstunneling1-1.png" alt="" width="374" height="446" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=187&height=223&name=dnstunneling1-1.png 187w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=374&height=446&name=dnstunneling1-1.png 374w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=561&height=669&name=dnstunneling1-1.png 561w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=748&height=892&name=dnstunneling1-1.png 748w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=935&height=1115&name=dnstunneling1-1.png 935w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling1-1.png?width=1122&height=1338&name=dnstunneling1-1.png 1122w" sizes="(max-width: 374px) 100vw, 374px"></a><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/fakemicrosoft-1.png"><img class="alignnone wp-image-9277" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=287&height=389&name=fakemicrosoft-1.png" alt="" width="287" height="389" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=144&height=195&name=fakemicrosoft-1.png 144w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=287&height=389&name=fakemicrosoft-1.png 287w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=431&height=584&name=fakemicrosoft-1.png 431w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=574&height=778&name=fakemicrosoft-1.png 574w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=718&height=973&name=fakemicrosoft-1.png 718w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakemicrosoft-1.png?width=861&height=1167&name=fakemicrosoft-1.png 861w" sizes="(max-width: 287px) 100vw, 287px"></a></p> <p> </p> <ul> <li><strong>Google Update</strong> (d30e8c7543adbc801d675068530b57d75cabb13f) <ul> <li><strong>Fake DLL</strong>: goopdate.dll (973b1ca8661be6651114edf29b10b31db4e218f7)</li> </ul> </li> </ul> <p> </p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/fakegoogle2.png"><img class="alignnone wp-image-9280" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=388&name=fakegoogle2.png" alt="fakegoogle2.png" width="388" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/fakegoogle2.png" title="fakegoogle2.png" caption="false" data-constrained="true" style="width: 388px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=194&name=fakegoogle2.png 194w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=388&name=fakegoogle2.png 388w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=582&name=fakegoogle2.png 582w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=776&name=fakegoogle2.png 776w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=970&name=fakegoogle2.png 970w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/fakegoogle2.png?width=1164&name=fakegoogle2.png 1164w" sizes="(max-width: 388px) 100vw, 388px"></a><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/fakegoogle-1.png"><img class="alignnone wp-image-9270" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=291&height=339&name=fakegoogle-1.png" alt="" width="291" height="339" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=146&height=170&name=fakegoogle-1.png 146w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=291&height=339&name=fakegoogle-1.png 291w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=437&height=509&name=fakegoogle-1.png 437w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=582&height=678&name=fakegoogle-1.png 582w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=728&height=848&name=fakegoogle-1.png 728w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/fakegoogle-1.png?width=873&height=1017&name=fakegoogle-1.png 873w" sizes="(max-width: 291px) 100vw, 291px"></a></p> <p> </p> <ul> <li><strong>Kaspersky’s Avpia </strong>(691686839681adb345728806889925dc4eddb74e) <ul> <li><strong>Fake DLL:</strong> product_info.dll (3cf4b44c9470fb5bd0c16996c4b2a338502a7517)</li> </ul> </li> </ul> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/kapersky-1.png"><img class="alignnone wp-image-9279" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=646&height=338&name=kapersky-1.png" alt="" width="646" height="338" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=323&height=169&name=kapersky-1.png 323w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=646&height=338&name=kapersky-1.png 646w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=969&height=507&name=kapersky-1.png 969w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=1292&height=676&name=kapersky-1.png 1292w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=1615&height=845&name=kapersky-1.png 1615w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/kapersky-1.png?width=1938&height=1014&name=kapersky-1.png 1938w" sizes="(max-width: 646px) 100vw, 646px"></a></p> <p>By exploiting legitimate software, the attackers bypassed application whitelisting and legitimate security software, allowing them to continue their operations without raising any suspicions.</p> <p><strong>DNS Tunneling as C2 channel -</strong></p> <p>In attempt to overcome network filtering solutions, the attackers implemented a <a href="https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/">stealthier</a> C2 communication method, using “<a href="http://resources.infosecinstitute.com/dns-tunnelling/#gref">DNS Tunneling</a>” – a method of C2 communicating and data exfiltration using the DNS protocol. To ensure that the DNS traffic would not be filtered, the attackers configured the backdoor to communicate with Google and OpenDNS DNS servers, since most organizations and security products will not filter traffic to those two major DNS services.</p> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/dnstunneling-3.png"><img class="alignnone wp-image-9268" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=305&height=364&name=dnstunneling-3.png" alt="" width="305" height="364" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=153&height=182&name=dnstunneling-3.png 153w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=305&height=364&name=dnstunneling-3.png 305w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=458&height=546&name=dnstunneling-3.png 458w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=610&height=728&name=dnstunneling-3.png 610w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=763&height=910&name=dnstunneling-3.png 763w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling-3.png?width=915&height=1092&name=dnstunneling-3.png 915w" sizes="(max-width: 305px) 100vw, 305px"></a><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/dnstunneling2-1.png"><img class="alignnone wp-image-9269" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=407&height=205&name=dnstunneling2-1.png" alt="" width="407" height="205" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=204&height=103&name=dnstunneling2-1.png 204w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=407&height=205&name=dnstunneling2-1.png 407w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=611&height=308&name=dnstunneling2-1.png 611w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=814&height=410&name=dnstunneling2-1.png 814w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=1018&height=513&name=dnstunneling2-1.png 1018w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/dnstunneling2-1.png?width=1221&height=615&name=dnstunneling2-1.png 1221w" sizes="(max-width: 407px) 100vw, 407px"></a></p> <p>The screenshot below shows the traffic generated by the backdoor and demonstrates DNS Tunneling for C2 communication. As shown, while the destination IP is “8.8.8.8” – Google’s DNS server – the malicious domain is “hiding” inside the DNS packet:</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/deatinationprot.png"><img class="alignnone size-full wp-image-9278" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=1548&name=deatinationprot.png" alt="deatinationprot.png" width="1548" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/deatinationprot.png" title="deatinationprot.png" caption="false" data-constrained="true" style="width: 1548px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=774&name=deatinationprot.png 774w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=1548&name=deatinationprot.png 1548w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=2322&name=deatinationprot.png 2322w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=3096&name=deatinationprot.png 3096w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=3870&name=deatinationprot.png 3870w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/deatinationprot.png?width=4644&name=deatinationprot.png 4644w" sizes="(max-width: 1548px) 100vw, 1548px"></a></p> <h3><strong>Phase three: Novel MS Outlook backdoor and lateral movement spree</strong></h3> <p>In the third phase of the operation, the attackers harvested credentials stored on the compromised machines and performed lateral movement and infected new machines. The attackers also <strong>introduced a very rare and stealthy technique</strong> to communicate with their servers and exfiltrate data using <strong>Microsoft Outlook</strong>.</p> <h3><strong>Outlook macro backdoor</strong></h3> <p><a href="https://cdn2.hubspot.net/hubfs/3354902/Imported_Blog_Media/phishingemail-1.png"><img class="alignnone wp-image-9264" src="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=442&height=450&name=phishingemail-1.png" alt="" width="442" height="450" style="display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=221&height=225&name=phishingemail-1.png 221w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=442&height=450&name=phishingemail-1.png 442w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=663&height=675&name=phishingemail-1.png 663w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=884&height=900&name=phishingemail-1.png 884w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=1105&height=1125&name=phishingemail-1.png 1105w, https://www.cybereason.com/hs-fs/hubfs/Imported_Blog_Media/phishingemail-1.png?width=1326&height=1350&name=phishingemail-1.png 1326w" sizes="(max-width: 442px) 100vw, 442px"></a></p> <p>In a relentless attempt to remain undetected, the attackers devised a very stealthy C2 channel that is hard to detect since it leverages an email-based C2 channel. The attackers <strong>installed a backdoor macro in Microsoft Outlook</strong> that enabled them to execute commands, deploy their tools and steal valuable data from the compromised machines.</p> <p>For a detailed analysis of the Outlook backdoor, please see the Attacker’s Arsenal section.</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/ecpte.png"><img class="alignnone wp-image-9281" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=614&name=ecpte.png" alt="ecpte.png" width="614" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/ecpte.png" title="ecpte.png" caption="false" data-constrained="true" style="width: 614px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=307&name=ecpte.png 307w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=614&name=ecpte.png 614w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=921&name=ecpte.png 921w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=1228&name=ecpte.png 1228w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=1535&name=ecpte.png 1535w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/ecpte.png?width=1842&name=ecpte.png 1842w" sizes="(max-width: 614px) 100vw, 614px"></a></p> <p>This technique works as follows:</p> <ol> <li>The malicious macro scans the victim’s Outlook inbox and looks for the strings <strong>“$$cpte”</strong> and <strong>“$$ecpte”</strong>.</li> <li>Then the macro will open a CMD shell that will execute whatever instruction / command is in between the strings.</li> <li>The macro deletes the message from inbox to ensure minimal risk of exposure.</li> <li>The macro searches for the special strings in the “Deleted Items” folder to find the attacker’s email address and sends the data back to the attackers via email.</li> <li>Lastly, the macro will delete any evidence of the emails received or sent by the attackers.</li> </ol> <h3><strong>Credential dumping and lateral movement</strong></h3> <p>The attackers used the famous <a href="https://github.com/gentilkiwi/mimikatz"><strong>Mimikatz</strong></a> credential dumping tool as their main tool to obtain credentials including user passwords, NTLM hashes and Kerberos tickets. Mimikatz is a very popular tool and is detected by most antivirus vendors and other security products. Therefore, the attackers used over 10 different customized Mimikatz payloads, which were obfuscated and packed in a way that allowed them to evade antivirus detection.</p> <p>The following are examples of Mimikatz command line arguments detected during the attack:  </p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/mimikatz.png"><img class="alignnone size-full wp-image-9263" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=828&name=mimikatz.png" alt="mimikatz.png" width="828" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/mimikatz.png" title="mimikatz.png" caption="false" data-constrained="true" style="width: 828px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=414&name=mimikatz.png 414w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=828&name=mimikatz.png 828w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=1242&name=mimikatz.png 1242w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=1656&name=mimikatz.png 1656w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=2070&name=mimikatz.png 2070w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/mimikatz.png?width=2484&name=mimikatz.png 2484w" sizes="(max-width: 828px) 100vw, 828px"></a></p> <p>The stolen credentials were used to infect more machines, leveraging Windows built-in tools as well as <a href="https://attack.mitre.org/wiki/Technique/T1097">pass-the-ticket</a> and <a href="https://en.wikipedia.org/wiki/Pass_the_hash">pass-the-hash</a> attacks.</p> <p><a href="https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/passthehash.png"><img class="alignnone wp-image-9267" src="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=587&name=passthehash.png" alt="passthehash.png" width="587" data-originalsrc="https://www.cybereason.com/wp-content/uploads/2017/05/passthehash.png" title="passthehash.png" caption="false" data-constrained="true" style="width: 587px; display: block; margin-left: auto; margin-right: auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=294&name=passthehash.png 294w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=587&name=passthehash.png 587w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=881&name=passthehash.png 881w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=1174&name=passthehash.png 1174w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=1468&name=passthehash.png 1468w, https://www.cybereason.com/hs-fs/hubfs/Blog%20Images%20-%20Labs/passthehash.png?width=1761&name=passthehash.png 1761w" sizes="(max-width: 587px) 100vw, 587px"></a></p> <h3><strong>Phase four: New arsenal and attempt to restore PowerShell infrastructure</strong></h3> <p>After a four week lull and no apparent malicious activity, the attackers returned to the scene and introduced new and improved tools aimed at bypassing the security mitigations that were implemented by the company’s IT team. These tools and methods <strong>mainly allowed them to bypass the PowerShell execution restrictions and password dumping mitigations</strong>.</p> <p>During that phase, Cybereason found a compromised server that was used as the main attacking machine, where the attackers stored their arsenal in a network share, which made it easier to spread their tools to other machines on the network. The attackers’ arsenal consisted:</p> <ul> <li><strong>New variants of Denis and Goopy backdoors</strong></li> <li><strong>PowerShell Restriction Bypass Tool</strong> <strong>-</strong> Adapted from <a href="https://github.com/p3nt4/PSUnlock">PSUnlock Github</a> project.</li> <li><strong>PowerShell Cobalt Strike Beacon -</strong> New payload + new C2 domain</li> <li><strong>PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub <a href="https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Invoke-Obfuscation.ps1">project</a>.</strong></li> <li><strong>HookPasswordChange</strong> <strong>-</strong> Inspired by <a href="https://gist.github.com/mubix/6514311#file-evilpassfilter-cpp">tools</a> found <a href="https://github.com/clymb3r/Misc-Windows-Hacking/blob/master/HookPasswordChange/HookPasswordChange/HookPasswordChange.cpp">on GitHub</a>, this tool alerts the attackers if a password has been changed. Using this tool, the attackers could overcome a password reset. The attackers modified their tool.</li> <li><strong>Customized Windows Credentials Dumper -</strong> A PowerShell password dumper that is based on a <a href="http://www.oxid.it/downloads/vaultdump.txt">known password dumping tool</a>, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords.</li> <li><strong>Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers.</strong></li> <li><strong>Mimikatz -</strong> PowerShell and Binary versions, with multiple layers of obfuscation.</li> </ul> <p>Please see the Attacker’s Arsenal section for detailed analysis of the tools.</p> <p>An analysis of this arsenal shows that the attackers went out of their way to restore the PowerShell-based infrastructure, even though it had already been detected and shut down once. The attackers’ preference to use a fileless infrastructure specifically in conjunction with Cobalt Strike is very evident. This could suggest that the attackers preferred to use known tools that are more expendable rather than using their own custom-built tools, which were used as a last resort.</p> <h3><strong>Conclusion</strong></h3> <p>Operation Cobalt Kitty was a major cyber espionage APT that targeted a global corporation in Asia and was carried out by the OceanLotus Group. The analysis of this APT proves how determined and motivated the attackers were. They continuously changed techniques and upgraded their arsenal to remain under the radar. In fact, they never gave up, even when the attack was exposed and shut down by the defenders.</p> <p>During the investigation of Operation Cobalt Kitty, Cybereason uncovered and analyzed new tools in the OceanLotus Group’s attack arsenal, such as:</p> <ul> <li>New backdoor (“Goopy”) using HTTP and DNS Tunneling for C2 communication.</li> <li>Undocumented backdoor that used Outlook for C2 communication and data exfiltration.</li> <li>Backdoors exploiting DLL sideloading attacks in legitimate applications from Microsoft, Google and Kaspersky.</li> <li>Three customized credential dumping tools, which are inspired by known tools.</li> </ul> <p>In addition, Cybereason uncovered new variants of the <a href="https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/">“Denis” backdoor</a> and managed to attribute the backdoor to the OceanLotus Group - a connection that had not been publicly reported before.</p> <p>This report provides a rare deep dive into a sophisticated APT that was carried out by one of the most fascinating groups operating in Asia. The ability to closely monitor and detect the stages of an entire APT lifecycle - from initial infiltration to data exfiltration - is far from trivial.</p> <p>The fact that most of the attackers’ tools were not detected by the antivirus software and other security products deployed in the company’s environment before Cybereason, is not surprising. The attackers obviously invested significant time and effort in keeping the operation undetected, striving to evade antivirus detection.</p> <p>As the investigation progressed, some of the IOCs observed in Operation Cobalt Kitty started to emerge in the wild, and recently some were even reported being used in <a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" rel="noopener noreferrer">other campaigns</a>. It is important to remember, however, that IOCs have a tendency to change over time. Therefore, understanding a threat actor’s behavioral patterns is essential in combatting modern and sophisticated APTs. The modus operandi and tools served as behavioral fingerprints also played an important role in tying Operation Cobalt Kitty to the OceanLotus Group.</p> <p>Lastly, our research provides an important testimony to the capabilities and working methods of the OceanLotus Group. Operation Cobalt Kitty is unique in many ways, nonetheless, it is still just one link in the group’s ever-growing chain of APT campaigns. Orchestrating multiple APT campaigns in parallel and attacking a broad spectrum of targets takes an incredible amount of resources, time, manpower and motivation. This combination is likely to be more common among nation-state actors. While the are many rumours and speculations circulating in the InfoSec community, at the time of writing, there was no publicly available evidence that can confirm that the OceanLotus Group is a nation-state threat actor.</p> <p>Until such evidence is made public, we will leave it to our readers to judge for themselves.</p> <p>To be continued ... Meow.</p> <p>Learn how to create a closed-loop security process to defend against this type of attack better. <span class="hs-cta-wrapper" id="hs-cta-wrapper-db7ec7b0-6c73-4af6-86ce-58fe37cec1e0"><span class="hs-cta-node hs-cta-db7ec7b0-6c73-4af6-86ce-58fe37cec1e0" id="hs-cta-db7ec7b0-6c73-4af6-86ce-58fe37cec1e0"><a href="https://cta-redirect.hubspot.com/cta/redirect/3354902/db7ec7b0-6c73-4af6-86ce-58fe37cec1e0" target="_blank" rel="noopener"><img class="hs-cta-img" id="hs-cta-img-db7ec7b0-6c73-4af6-86ce-58fe37cec1e0" style="border-width:0px;" src="https://no-cache.hubspot.com/cta/default/3354902/db7ec7b0-6c73-4af6-86ce-58fe37cec1e0.png" alt="Read how to create a closed-loop security process with MITRE ATT&CK."></a></span><script charset="utf-8" src="/hs/cta/cta/current.js"></script><script type="text/javascript"> hbspt.cta._relativeUrls=true;hbspt.cta.load(3354902, 'db7ec7b0-6c73-4af6-86ce-58fe37cec1e0', {"useNewLoader":"true","region":"na1"}); </script></span></p></span>    <div class="cr-blog-post__social-sharing"> <span>Share</span> <div id="hs_cos_wrapper_module_161724375084957" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_social_sharing" data-hs-cos-general-type="widget" data-hs-cos-type="social_sharing"> <a href="https://twitter.com/intent/tweet?original_referer=https://www.cybereason.com/blog/operation-cobalt-kitty-apt&utm_medium=social&utm_source=twitter&url=https://www.cybereason.com/blog/operation-cobalt-kitty-apt&utm_medium=social&utm_source=twitter&source=tweetbutton&text=" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on twitter"> </a> <a href="http://www.facebook.com/share.php?u=https://www.cybereason.com/blog/operation-cobalt-kitty-apt&utm_medium=social&utm_source=facebook" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on facebook"> </a> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.cybereason.com/blog/operation-cobalt-kitty-apt&utm_medium=social&utm_source=linkedin" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on linkedin"> </a> </div></div> </div>  <div class="container columns cr-mln__author-listing-single"> <div class="column headshot is-3-full-hd is-3-desktop is-3-tablet is-12-mobile"> <img class="cr-speaker-headshot" src="https://www.cybereason.com/hubfs/assaf-hs-hex.png" alt="Assaf Dahan"> </div> <div class="column is-9-full-hd is-9-desktop is-12-mobile"> <span class="descriptor">About the Author</span> <h4>Assaf Dahan</h4> <p>Assaf has over 15 years in the InfoSec industry. He started his career in the Military forces where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.</p> </div> </div>       <div id="hs_cos_wrapper_module_1649342860525315" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/cuckoo-spear-part-1-analysis-blog-analysis-featured.png" alt="CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective"></a> <h4><a href="https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor"><span class="underline">CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective</span></a></h4> <p>In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><img src="https://www.cybereason.com/hubfs/strifewater.png" alt="StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations"></a> <h4><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><span class="underline">StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations</span></a></h4> <p>Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...</p> </div> </div> </div> </div> </section></div> </div>  <div class="column is-3-fullhd is-3-desktop is-12-mobile cr-malicious-life-network__sidebar"> <div class="cr-ml-sidebar--group"> <div class="top-stripe"></div> <div class="sidebar-block search-section"> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search"> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> <div class="sidebar-block subscribe"> <a href="#blog-subscribe"> <h4>Subscribe</h4> <span>Never miss a blog.</span> </a> </div> <div class="sidebar-block recent-posts"> <h4>Recent Posts</h4> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cybereason-merges-with-trustwave" class="post-name"><span class="underline">Cybereason Merges with Trustwave, Enhances MDR and Consulting Services</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/insourcing-versus-outsourcing" class="post-name"><span class="underline">Insourcing versus Outsourcing</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/unlocking-the-potential-of-ai-in-cybersecurity-embracing-the-future-and-its-complexities" class="post-name"><span class="underline">Unlocking the Potential of AI in Cybersecurity: Embracing the Future and Its Complexities</span></a> </div> </div> </div> <div class="sidebar-block category-listing"> <h4>Categories</h4> <ul> <li><a href="https://www.cybereason.com/blog/category/research">Research</a></li> <li><a href="https://www.cybereason.com/blog/category/podcasts">Podcasts</a></li> <li><a href="https://www.cybereason.com/blog/category/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/blog/category/resources">Resources</a></li> <li><a href="https://www.cybereason.com/blog/category/videos">Videos</a></li> <li><a href="https://www.cybereason.com/blog/category/news">News</a></li> </ul> <a class="rec-category__single--view-all" href="/blog/category/research">All Posts</a> </div> </div> </div> </div> </div> </div></div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="display: none;" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1616011887658867" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/cuckoo-spear-part-1-analysis-blog-analysis-featured.png" alt="CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective"></a> <h4><a href="https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor"><span class="underline">CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective</span></a></h4> <p>In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><img src="https://www.cybereason.com/hubfs/strifewater.png" alt="StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations"></a> <h4><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><span class="underline">StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations</span></a></h4> <p>Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...</p> </div> </div> </div> </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-3 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_161767462015235" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-mln__blog-listing-page__subscribe-footer"> <div class="container container-is-blog columns page-center"> <div class="column is-8-fullhd is-8-desktop is-10-tablet is-12-mobile"> <span class="tag">NEWSLETTER</span> <h3>Never miss a blog</h3> <p>Get the latest research, expert insights, and security industry news.</p> <a class="cr-button cr-mln__subscribe" href="#blog-subscribe">Subscribe</a> </div>  </div> </div></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-4 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_166508001252918" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-sticky-cta-bar bg-black" id="sticky-bar"> <div class="content"> <span>Want to see the Cybereason Defense Platform in action?</span> <a class="cr-button cr-button__fill-yellow" href="https://www.cybereason.com/request-a-demo" target="_blank">Schedule a Demo</a> </div> <div class="close">X</div> </div></div> </div> </div> </div> </div> </div> <div class="footer-container-wrapper"> <div class="footer-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_16036762394194314" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <footer class="cr-section cr-footer cr-footer__full"> <div class="container page-center"> <div class="columns"> <div class="column is-6-fullhd is-5-desktop cr-footer__col cr-footer__left"> <div class="cr-footer__Left-logo"> <a href="https://www.cybereason.com"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-white.png"> </a> </div> </div> <div class="columns column is-6-fullhd is-6-desktop cr-footer__col cr-footer__right"> <div class="cr-footer__links-list column"> <h4>About</h4> <ul> <li><a href="https://www.cybereason.com/company/who-we-are">Who We Are</a> </li><li><a href="https://www.cybereason.com/company/careers">Careers</a>  </li><li><a href="https://www.cybereason.com/company/contact-us">Contact</a> </li></ul> </div> <div class="cr-footer__links-list column"> <h4>Resources</h4> <ul> <li><a href="https://www.cybereason.com/blog">Blog</a></li> <li><a href="https://www.cybereason.com/resources/tag/case-study">Case Studies</a></li> <li><a href="https://www.cybereason.com/resources/tag/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/resources/tag/white-papers">White Papers</a></li> </ul> </div> <div class="cr-footer__links-list column"> <h4>Platform</h4> <ul> <li><a href="https://www.cybereason.com/platform">Overview</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-prevention">Endpoint Protection</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-detection-response-edr">EDR</a></li> <li><a href="https://www.cybereason.com/platform/managed-detection-response-mdr">MDR</a></li> </ul> </div> </div> </div> </div> <div class="container page-center"> <div class="columns cr-footer__bottom-bar"> <div class="column"> <p>©Cybereason 2024. All Rights Reserved.</p> </div> <div class="column bottom-bar__links"> <ul> <li><a href="https://www.cybereason.com/terms-of-use">Terms of Use</a></li> <li><a href="https://www.cybereason.com/privacy-notice">Privacy Notice</a></li> <li><a href="https://www.cybereason.com/ccpa-privacy-request">Do Not Sell</a></li> <li><a href="https://www.cybereason.com/security">Security</a></li>  </ul> </div> <div class="column bottom-bar__social"> <ul> <li><a class="facebook" href="https://www.facebook.com/Cybereason/"></a></li> <li><a class="twitter" href="https://twitter.com/cybereason"></a></li> <li><a class="youtube" href="https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew"></a></li> <li><a class="linkedin" href="https://www.linkedin.com/company/cybereason"></a></li> <li><a class="instagram" href="https://www.instagram.com/cybereason"></a></li> </ul> </div> </div> </div> </footer></div> </div> </div> </div> </div> </div>  <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507089303/1644440411417/__CR_Web_Platform/JS/animatedModal/animatedModal.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386128/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443113/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042213858/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/86933076631/1669911113440/module_86933076631_CR_-_Sticky_CTA_Bar.min.js"></script>  <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.cybereason.com\/blog\/operation-cobalt-kitty-apt"]); _hsq.push(["setPageId", "5283765824"]); _hsq.push(["setContentMetadata", { "contentPageId": 5283765824, "legacyPageId": "5283765824", "contentFolderId": null, "contentGroupId": 5272851739, "abTestId": null, "languageVariantId": 5283765824, "languageCode": "en", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3354902.js"></script>  <script type="text/javascript"> var hsVars = { render_id: "5f6b9d33-ad7d-4aac-9a59-81e3d2dfabfd", ticks: 1732661178907, page_id: 5283765824, content_group_id: 5272851739, portal_id: 3354902, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "5283765824", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.354/js/index.js"></script> <script>if ($('[id^="hs_form"]').length > 0) { var myInterval = setInterval( function() { var myFields = document.getElementsByClassName('hs-input'); if (myFields.length > 0) { clearInterval(myInterval); for (var i = 0; i < myFields.length; i++) { var myField = myFields[i]; var myTagName = myField.tagName.toLowerCase(); if (myTagName == 'input' || myTagName == 'textarea') { if (myField.placeholder != null) { myField.placeholder = myField.placeholder.replace('*', ''); } } else if (myTagName == 'select') { myField.options[0].innerHTML = myField.options[0].innerHTML.replace('*', ''); } } } }, 100); } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_GB/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> <script> function sticky_relocate() { var window_top = $(window).scrollTop(); var div_top = $('#sticky-anchor').offset().top; if (window_top > div_top) { $('#sticky').addClass('stick'); } else { $('#sticky').removeClass('stick'); } } $(function() { $(window).scroll(sticky_relocate); sticky_relocate(); }); </script>  <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1279518831" async></script></body></html>