Focus Mode
Threat Research

Fileless Malware Nedir? S1Ep2 Cobalt Kitty Operasyonu

iocOne
Fileless Malware Nedir? S1Ep2 Cobalt Kitty Operasyonu
This article examines “Operation Cobalt Kitty,” a sophisticated cyberattack targeting financial companies in Asia. The attackers primarily employed fileless malware, spear-phishing, and DNS tunneling techniques to gain access to sensitive systems and maintain persistence. The operation exemplifies the potential damage posed by fileless malware and highlights the lack of detection by existing security measures. Affected: financial sector, cybersecurity sector

Keypoints :

  • “Operation Cobalt Kitty” targeted financial institutions in Asia.
  • The operation utilized spear-phishing to breach high-level executives’ systems.
  • Attackers compromised over 40 computers and servers, including domain controllers and database servers.
  • Fileless malware was created using frameworks like Cobalt Strike, PowerShell, and Nishang.
  • Social engineering tactics were employed to distribute malicious Word documents with embedded macros.
  • Persistent backdoors were established, enabling attackers to remain undetected for over a year.
  • DLL Hijacking was used to hide malware within legitimate software components.
  • DNS tunneling was employed to bypass network filtering and exfiltrate data unnoticed.
  • Credentials such as passwords and NTLM hashes were harvested using Mimikatz.
  • The attackers adapted their strategies to evade detection during the operation.

MITRE Techniques :

  • Phishing (T1566): Used spear-phishing emails to target high-level executives.
  • Command and Scripting Interpreter (T1059): Employed PowerShell and VBS scripts for executing fileless malware.
  • Persistence (T1547): Established persistence using Windows registry and scheduled tasks.
  • DLL Search Order Hijacking (T1038): Utilized DLL Hijacking to execute malicious code within trusted applications.
  • Data Exfiltration Over Command and Control Channel (T1041): Exfiltrated stolen data using DNS tunneling through Google DNS.
  • Credential Dumping (T1003): Used Mimikatz to retrieve credentials, enabling access to additional machines.

Indicator of Compromise :

  • [File Name] msfte.dll
  • [File Name] goopdate.dll
  • [File Name] product_info.dll
  • [IP Address] 8.8.8.8
  • [URL] https://github.com/samratashok/nishang

Full Story: https://medium.com/bloodraven/fileless-malware-nedir-s1ep2-cobalt-kitty-operasyonu-b82930399000?source=rss——cybersecurity-5

Tags: BACKDOOR, SOCIAL ENGINEERING, FINANCIAL, WINDOWS, EXFILTRATION, PERSISTENCE, DNS, PHISHING