[SANS ISC] Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th)

There is also a video of this analysis.

Renato gives an extensive analysis of MSBuild and Cobalt Strike malware in diary entry “Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons“.

I wanted to know if I could analyse these samples with my tools: this is the sample I looked at.
First I noticed a sequence of bytes (hexadecimal) that my base64dump.py tool should recognize as zxc encoding.

However, base64dump.py failed to recognize the complete sequence. First I assumed that the sequence contained some unexpected characters, but it turned out that was not the issue. With zxc encoding, base64dump.py looks for sequences of strings like 0x?? separated by commas (? represents an hexadecimal digit): my tool expects that each byte is encoded with 2 hexadecimal digits. And that is not the case in this sample:

Byte values smaller than 16 have no leading zero.

So I updated my base64dump.py tool to include another encoding: like zxc, but without leading zero. I called this encoding zxcn (n standing for no-leading-zeroes).

I use option “-e all” to try all encodings on the sample:

And with this new version, a very long sequence is detected: zxcn encoding, 1290778 characters long.

I run base64dump.py again, now only searching for zxcn encodings:

2 sequences are detected. Taking a closer look at the code in the sample, I notice that that second sequence is an XOR key that is used to decode the content of the first sequence:


That second sequence decodes to string uKIMvp, e.g., the XOR key I need to use to decode the payload.

I use my tool translate.py to do the XOR decoding like this:

This looks like a 64-bit Cobalt Strike PE file (notice magic header MZAR). Let’s check with my tool pecheck.py:

It is indeed a PE file, and more precisely a 64-bit Cobalt Strike DLL. Thus my tool 1768.py is suited to extract the configuration:


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2021-01-25

Kyberturvallisuus­keskus: Whatsapp-tilejä yritetään kaapata Suomessa huijausviesteillä www.hs.fi/kotimaa/art-2000007758688.html Rikolliset yrittävät kaapata tilejä muun muassa tekeytymällä Whatsappin tekniseksi tueksi. Lukijoilta: Huijari tyhjäsi netissä pankkitilini ilkkapohjalainen.fi/mielipide/yleisolta/lukijoilta-huijari-tyhjasi-netissa-pankkitilini-1.4810770 Tämä on esimerkki omasta tapauksesta, jossa hyväuskoisena luotin soittoon, jossa soittaja ilmoitti soittavansa Lontoossa sijaitsevasta Microsoft Support -tukipalvelukeskuksesta. Matkapuhelin­verkko voi kavaltaa kenen tahansa sijainnin: Siepattiinko arabi­prinsessa ja hänen suomalainen ystävänsä luksus­jahdilta kapteenin […]

Read More

[ZDNet] Run Windows software and more with this $35 Mac app bundle

All posts, ZDNet

When you boost your productivity, that leaves more time for fun, so get this bundle while it’s on sale… it won’t be for long. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Abcbot botnet has now been linked to Xanthe cryptojacking group

All posts, ZDNet

Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. Source: Read More (Latest topics for ZDNet in Security)

Read More