FOCUS MODE
EXTRACT IOC
Threat Research

South Korean Organizations Targeted by Cobalt Strike Cat Delivered by a Rust Beacon

Securonix
South Korean Organizations Targeted by Cobalt Strike Cat Delivered by a Rust Beacon
Hunt researchers exposed a web server hosting tools linked to an intrusion campaign against South Korean organizations. This server, available for less than 24 hours, encompassed a Rust-compiled Windows executable that deployed Cobalt Strike Cat along with several other open-source tools. The attacker appears to have focused on exploiting vulnerabilities in government and commercial entities. Affected: South Korean organizations, government agencies, commercial entities

Keypoints :

  • Research identified a publicly accessible server with intrusion tools targeted at South Korean organizations.
  • The server hosted a Rust-compiled executable delivering Cobalt Strike Cat and various open-source tools.
  • SQLMap and other tools were found, indicating attempts to exploit vulnerabilities in web applications.
  • The attack targeted over 1,000 Korean domains linked to government and commercial sectors.
  • Cobalt Strike Cat and Marte shellcode were central to the attack strategy, using modified loaders for execution.
  • Logs confirmed beaconing activity from compromised hosts, indicating successful intrusions.
  • Defenders should monitor for unusual network traffic and signs of SQL injection attempts.

MITRE Techniques :

  • T1592 – Gather Victim Network Information: The attacker compiled a list of Korean domains for targeting, indicating reconnaissance.
  • T1190 – Exploit Public-Facing Application: Weapons like SQLMap were utilized against vulnerable South Korean websites.
  • T1071.001 – Application Layer Protocol: Malicious activities employed HTTP traffic patterns to mask C2 communications.
  • T1059.001 – PowerShell: The attacker staged payloads using PowerShell scripts for delivery on compromised machines.
  • T1071.003 – Application Layer Protocol: Used to manage and communicate with Cobalt Strike centers through standard protocols.

Indicator of Compromise :

  • [IP Address] 144.48.4[.]219:8000
  • [IP Address] 104.167.222[.]106
  • [SHA-256 Hash] ma.exe: f635f424b967e3df6bec0e6bd4643d5b19bb6e3e3d9c925d91124b80f85e8d1b
  • [SHA-256 Hash] 0101.txt: 4b00b7ef72db51bd3c40366e283fc4eed7d613b410fdebaf451bf926fdd427fd
  • [Filename] 123.zip

Full Story: https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea

Tags: PASSWORD, SQL INJECTION, EXPLOIT, PENETRATION, HUNTING, WINDOWS, GOVERNMENT, PROXY