Last month, the Chilean Army (Ejército de Chile) suffered damage from military documents leaking to the dark web due to a Cobalt Strike ransomware attack known as Rhysida. The Rhysida ransomware gang stole 360,000 pieces, about 30% of the documents, from the Chilean Army’s network and exposed the stolen files on the dark web data breach site. This ransomware is presumed to have penetrated the network from a phishing attack through Cobalt Strike and C2 framework deployment. When the malware used in the attack is executed, a PDF ransomware note called “CriticalBreachDetected.pdf” is displayed, encrypting the user’s files. Since military documents are sensitive information equivalent to state secrets, they can be seen as cases showing the severity of ransomware through Cobalt Strike and misuse of C2 servers.

Cobalt Strike, which has been covered in the previous article on how to detect Cobalt Strike malware, is a commercial penetration testing tool that was originally used for building a C2 server. Because of its ability to build a unique C2 server, it is also often exploited by ransomware and PC infection attacks. On the OSINT cybersecurity search engine Criminal IP, you can find IP addresses infected by the exploited Cobalt Strike, and you can check the detailed reason why the IP address is determined to be a “Critical” risk. In this article, we will cover malware that exploited Cobalt Strike and C2 servers, such as Rhysida ransomware, and IP addresses infected by ransomware.

Detecting IP Addresses Infected With Cobalt Strike Ransomware and Malware

When you search for Cobalt Strike with a tag search in Criminal IP, botnets commonly used on C2 servers are identified.  

Search Query: tag: cobalt strike

Search results of "tag: cobalt strike" on the Threat Intelligence search engine Criminal IP
Search results of “tag: cobalt strike” on the Threat Intelligence search engine Criminal IP

You can notice that most of the search results show both the Inbound and Outbound scores as “Critical”. Of course, using Cobalt Strike alone doesn’t make an IP address dangerous; its score is determined based on complex information. For example, IP addresses identified as malicious by Reputation, such as the Snort rule or MISP, are likely to be associated with malware that exploited Cobalt Strike. Moreover, by adding a “snort_rule: C2 filter” to “tag: cobalt strike” in your search, you can find IP addresses corresponding to malicious network activity by exploiting the C2 servers.

Search results of "tag: cobalt strike snort_rule: C2" on the Threat Intelligence search engine Criminal IP
Search results of “tag: cobalt strike snort_rule: C2” on the Threat Intelligence search engine Criminal IP

Search Query: tag: cobalt strike snort_rule: C2

Details of IP Addresses Infected With Cobalt Strike Ransomware and Malware

To check the IP addresses infected with Cobalt Strike ransomware and malware in more detail, we clicked on one of the search results to view the details.You can verify that the external reputation information mentioned above was also detected at that IP address. This indicates that Snort’s IDS (Intrusion Detection System) has detected access to the Cobalt Strike C2 server.

Cobalt Strike C2 server detected in Snort's IDS (Intrusion Detection System)
Cobalt Strike C2 server detected in Snort’s IDS (Intrusion Detection System)

Also, since the IP address has a history of being linked to a phishing domain, it was confirmed in the connected Domain and Abuse Record sections that the IP address is associated with illegal activities and illicit services.

IP address infected with the Cobalt Strike malware that has a history of being connected to a phishing domain
IP address infected with the Cobalt Strike malware that has a history of being connected to a phishing domain

Furthermore, if you look at the open port banner found at the IP address, you can see that a beacon that communicated with HTTP and HTTPS was detected. A beacon is an agent that performs the attack command of Cobalt Strike and can be seen as practical malicious code.

Open ports in which the Cobalt Strike beacon malware was detected
Open ports in which the Cobalt Strike beacon malware was detected

Preventing Cobalt Strike Ransomware and Malware Through Threat Intelligence Integration

If an IP address infected with Cobalt Strike ransomware and malware is blacklisted by an authorized security agency or service provider, it is possible to detect and block access to that IP address by linking the blacklist database to a firewall or existing security solutions. However, in the case of a new infected IP address that has not yet been blacklisted, it may be difficult to block even if the blacklist database is linked. 

On the other hand, Criminal IP’s threat intelligence (TI) has the advantage of not only providing existing blacklist information, but also updating new infected IP addresses and malicious IP addresses not on existing blacklists through real-time analysis. Therefore, integrating Criminal IP’s TI data to a security solution being used, such as a firewall, IPS, or SOAR, can be highly beneficial in blocking outbound access to sites and IP addresses infected with Cobalt Strike ransomware, even if it is not Cobalt Strike ransomware registered in a blacklist database.

Please refer to our video on detecting servers infected with Cobalt Strike malware (botnet servers) for more information. 

Source: Criminal IP (https://www.criminalip.io)

Related video: