1/16 January 6, 2022 NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/ NOBELIUM is another name for the APT29 intrusion set¹, operated by a threat actor allegedly linked to the SVR (the Foreign Intelligence Service of the Russian Federation)². NOBELIUM has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. Despite the low sophistication level of its phishing campaigns targeting Windows, NOBELIUM is well known for its agility once inside the victim’s network. Its operators are careful, patient and masterize cutting edge intrusion techniques against the latest Microsoft technologies and services such as AzureAD. For example, NOBELIUM used a home made passive implant dubbed FoggyWeb to exfiltrate authentication tokens from ADFS servers in a stealthy way³. https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/ https://www.cisa.gov/uscert/ncas/alerts/aa21-148a https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ 2/16 NOBELIUM made the headlines a little over a year ago, following the discovery of a sophisticated supply chain attack against the Solarwinds software, compromising thousands with a validator dubbed “SunBurst”⁴. Beyond its impact and its sophistication, the attack – as disclosed by Kaspersky – had an interesting overlap with a backdoor used by TURLA⁴, an intrusion set that has been active for years and known to be allegedly linked to the Russian FSB. Joint operation between two Russian threat actors or NOBELIUM had access to the same code base? The question remains unanswered today but it is not the first time that overlaps between these two intrusion sets emerge⁵. Throughout 2021 and following the SolarWinds attack, NOBELIUM engaged in spear phishing campaigns by using mails and social media messaging. These campaigns didn’t use any exploit to compromise Windows endpoints. They simply relied on malicious HTML attachments – called EnvyScout by Microsoft⁶– with a pinch of social engineering. By opening the attachment, the HTML file extracts from itself an ISO file by using a technique dubbed HTML Smuggling. The ISO is then downloaded by the victim and automatically mounted on the victim’s workstation, leading at the end of the exploitation chain to execution of a CobaltStrike beacon. New EnvyScout infection chain analysis. On October 21st, 2021, a new EnvyScout HTML file related to the NOBELIUM intrusion set (3d18bc4bfe1ec7b6b73a3fb39d490b64) matched one of our YARA rule on VirusTotal with a detection ratio of 1 on 56. The rule was done on the possible obfuscated variants of a JavaScript loop used in the EnvyScout initial file disclosed by Microsoft (32e0940e1715392280d4bdb514d9cf11)⁶. Table 1. Comparison of the two loops It is worth noting that’s not the only resemblance between the two files, both also have the same headers, with the same MOTW comment⁷, such as: https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/#4-link https://www.mandiant.com/resources/sunburst-additional-technical-details https://securelist.com/sunburst-backdoor-kazuar/99981/ https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628(v=vs.85)?redirectedfrom=MSDN 3/16 Extract 1. Headers in 32e0940e’ and 3d18bc4b’ files As seen during other phishing campaigns reported in open-source, this file uses the “HTML Smuggling” technique to extract a malicious ISO file. By looking at its content, this file seems to have targeted at least one Iranian embassy, as shown below: Figure 1. Message shown to the user by the HTML file 3d18bc4bfe1ec7b6b73a3fb39d490b64. Following this first discovery, another similar HTML file came out in early December (b87073c34a910f20a83c04c8efbd4f43) but this time with no text except the title “Covid information”. The content may have been deleted by the submitters in order to prevent victim identification. However, the next infection chain stage revealed that it targeted at least one Turkey Embassy. It is worth noting that these EnvyScout files don’t contain any SMB trap, web bug, telemetry script or redirection to some 0day exploit targeting iOS as previously seen by Google TAG⁸. If we take a look at the ISO files metadata, the ISO volume name is the HTA file title and there are some interesting timestamps such as the “Root Directory Create Date” or the “Volume Create Date”. In the first sample, 3d18bc4bfe1ec7b6b73a3fb39d490b64, the timestamps values are 2021:10:20 11:27:18-07:00 (UTC time). Whereas in the second sample, which was uploaded a bit later on VirusTotal, the timestamps values are 2021:11:12 09:28:40-08:00 (UTC time). These dates indicate the last time that the volume was mounted. This is quite interesting as the ISO files were actually simply extracted and decoded from the HTML files. It seems therefore likely that NOBELIUM built the payloads (or tested its whole attack chain) at these dates. If that is indeed the case, it would mean that the first sample 3d18bc4bfe1ec7b6b73a3fb39d490b64 was created a day before it was uploaded to VirusTotal. https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ 4/16 Unlike the previously described NOBELIUM spear-phishing attacks disclosed by Microsoft, the downloaded ISO files no longer contained a malicious DLL and a shortcut aimed to launch that DLL. In both cases, the ISO simply embeds a malicious HTML Application (HTA) file, executing the rest of the exploitation chain. For the HTA file corresponding to the first HTML file (3d18bc4bfe1ec7b6b73a3fb39d490b64), the HTA file contains the same message as the HTML file. For the second HTML file (b87073c34a910f20a83c04c8efbd4f43), the HTA file contains a message similar to the first file but this time mentions an “Embassy of the Republic of Turkey”: Figure 2. The HTA b84c00ae9e7f9684b36d75a1a09f8210 message. Note the slight typos they made in this message at “transfered” (just like in the first HTML file) and “thes”. In both cases, the HTA file contains hidden HTML elements embedding the content of two different registry values. The first registry value carries a shellcode loader written in PowerShell dedicated to decode and load a shellcode, contained in the second registry value. Once the values are saved in the registry, the HTA launches a Powershell command line which will load and execute the content of the first registry key, as shown below: Extract 2. Extract of the HTA b84c00ae9e7f9684b36d75a1a09f8210. 5/16 It is worth noting that prior to loading the shellcode, the registry keys containing the malicious payloads are deleted, a nice try to prevent forensic analysis. Furthermore, the registry key names differ in the two samples (Javasoft and MSOffice). In the two cases, the shellcode loads and executes in memory a DLL embedded in it. Both DLLs contain dozens of dead exports, are heavily obfuscated in the same manner with a lot of junk code and fake calls to the Windows API. They are used to decrypt and load an encrypted CS beacon splitted in seven different parts inside the DLL. To resume, they seem to act as the loader dubbed NativeZone (variant 1) as described by Microsoft in their blogpost⁶. To summarize, you can see below the full infection chain used in these recent spear phishing attacks: Figure 3. Infection chain of 3d18bc4bfe1ec7b6b73a3fb39d490b64. Both CobaltStrike configurations were extracted easily and can be found in the Appendix. It is interesting to note that the public keys and the user-agent are the same. Furthermore, the user-agent should not be used often in real corporate environments as it is associated with https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ 6/16 Windows 8 and you could therefore look for that on your networks for hunting purposes. Two different C2s have been extracted, midcitylanews[.]com for the sample targeting Iran and dom-news[.]com for the sample targeting Turkey. Infrastructure analysis The domains midcitylanews[.]com and dom-news[.]com retrieved from the CobaltStrike beacons have been registered more than a year prior to their use by the threat actor which could indicate that NOBELIUM tried to prevent malicious domains detection based on their creation date. These domains resolved VPS IP addresses having their 80 and 443 ports open. They seem to have been configured by using an Nginx forwarder configuration for CobaltStrike C2 dubbed “cs2nginx” and available for anyone on Github⁹. However, even if the domains were registered a year ago, the associated C2 servers were set up around the end of september, 2021. Therefore, this time delta, the use of cs2nginx and the pattern of the typosquatting domains (e.g. the use on “news” keyword for many of them) can lead to some infrastructure illumination. Here is the infrastructure which can be grabbed by using this heuristic. Table 3. Infrastructure discovered possibly linked to NOBELIUM It is interesting to note that like the infrastructure disclosed by the CERT-FR in December, 2021¹⁰, this cluster is distributed between several autonomous systems, which seems also to be one characteristic of NOBELIUM. https://github.com/threatexpress/cs2modrewrite/blob/master/cs2nginx.py https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/ 7/16 During this investigation, we found other C2s servers using the same technique and potentially linked to other threat actors or red teams. We decided to publish this list in the appendix for threat hunting purposes in your network. Conclusion The infection chain and the indicators shown above suggest that NOBELIUM is associated with this attack campaign. After having burned EnvyScout against occidental targets, NOBELIUM seems to reuse this infection chain against other countries. However, due to the low complexity of the infection chain and the previous blog posts covering EnvyScout, it could be, although we write this with very low confidence, just another threat actor copycatting NOBELIUM. External references ¹ Alert (AA21-148A) Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs, CISA, May 28, 2021 ² Further TTPs associated with SVR cyber actors, NCSC, May 7, 2021 ³ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor, Microsoft, September 27, 2021 ⁴ SUNBURST Additional Technical Details, Mandian, December 24, 2020 ⁵ Sunburst backdoor – code overlaps with Kazuar, Kaspersky, January 11, 2021 ⁶ Breaking down NOBELIUM’s latest early-stage toolset, Microsoft, May 28, 2021 ⁷ Mark of the Web, Microsoft, May 11, 2015 ⁸ How we protect users from 0-day attacks, Google TAG, July 12, 2021 ⁹ Cs2modrewrite’s source code on Github ¹⁰ Phishing campaigns by the Nobelium intrusion set, CERT-FR, December 6, 2021 Tactics, Techniques and Procedures (TTPs) T1583.001 – Acquire Infrastructure: Domains T1583.003 – Acquire Infrastructure: Virtual Private Server T1566.001 – Phishing: Spearphishing Attachment T1566.003 – Phishing: Spearphishing via Service T1059.001 – Command and Scripting Interpreter: PowerShell https://www.cisa.gov/uscert/ncas/alerts/aa21-148a https://www.cisa.gov/uscert/ncas/alerts/aa21-148a https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ https://www.mandiant.com/resources/sunburst-additional-technical-details https://securelist.com/sunburst-backdoor-kazuar/99981/ https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628(v=vs.85)?redirectedfrom=MSDN https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ https://github.com/threatexpress/cs2modrewrite/blob/master/cs2nginx.py https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/ 8/16 T1204.002 – User Execution: Malicious File T1027.006 – Obfuscated Files or Information: HTML Smuggling T1071.001 – Application Layer Protocol: Web Protocols Related IOCs The IOCs are provided “as is”. All the IOCs can be downloaded in JSON STIX2.1 and CSV formats on the SEKOIA.IO Github: https://www.github.com/SEKOIA- IO/Community/tree/main/IOCs Domains crochetnews[.]com dom-news[.]com readnewshot[.]com pharaosjournal[.]com bfilmnews[.]com theanalyticsnews[.]com galatinonews[.]com midcitylanews[.]com muslimnewsdaily[.]com IP Addresses 31.42.177[.]78 158.255.211[.]40 45.14.70[.]186 46.102.152[.]118 139.99.178[.]56 95.183.51[.]161 195.144.21[.]159 103.232.53[.]230 194.62.42[.]109 Other domains suspected to use cs2nginx These domains are suspected to use cs2nginx. We haven’t been able to link them to NOBELIUM and they could be related to other threats. They are provided “as is”, only for hunting purposes in your own network. https://www.github.com/SEKOIA-IO/Community/tree/main/IOCs%20 9/16 updates.uk[.]com onlinebusinessadviceuk[.]com assets.completehealthcareuk[.]net d2rwiki[.]net taiwancht[.]com herosofthestorms[.]com note.legendsec[.]net faststartbusiness[.]com msdnsvc[.]com assets.bettendorfhealthcare[.]com eblogpro[.]com getdsoft[.]com themobilecard[.]com c***solutions[.]support v*****managernent[.]com e*****x[.]me img.microsoftupdate.cc windows.msgetupdate.com fwd.splunk.eu.com file.updateswindows.com Files MD5 hashes 054940ba8908b9e11f57ee081d1140cb b84c00ae9e7f9684b36d75a1a09f8210 3d18bc4bfe1ec7b6b73a3fb39d490b64 b87073c34a910f20a83c04c8efbd4f43 d4fdf63d88da2d59569bb621b18bf5e4 41dd8cee47c036e7e9e92c395c5d1feb b7ca8c46dc1bfc1d9cb9ce04a4928153 cc08a6df151b8879a4969b2e99086b48 4365057ef0c5a9518d95d53eab5995a8 Yara rules 10/16 rule apt_nobelium_powsershell_reg_loader_decoded { meta: id = “c8ee9c40-fa28-4b9a-98e8-88ccc4a16091“ description = “Matches the decoded version of the Powershell loader stored in the registry“ version = “1.0“ creation_date = “2021-12-07“ modification_date = “2021-12-07“ classification = “TLP:WHITE“ source=“SEKOIA“ strings: $x = “FromBase64String((gp HKCU:\\\\SOFTWARE\\\\“ $y = “Remove-ItemProperty HKCU:\\\\SOFTWARE\\\\“ $z = “Invoke([IntPtr]::Zero)“ condition: filesize < 3KB and $x and #y == 2 and $z at (filesize-22) } rule apt_nobelium_hta_reg_dropper { meta: id = “9f6a2154-c33a-4c38-9667-7479bf49c310“ description = “Matches HTA dropper file used by NOBELIUM and ISO files containing it“ hash = “054940ba8908b9e11f57ee081d1140cb“ hash = “b7ca8c46dc1bfc1d9cb9ce04a4928153“ version = “1.0“ creation_date = “2021-12-07” modification_date = “2021-12-07“ classification = “TLP:WHITE“ source=“SEKOIA“ strings: $w = “RegWrite(“ nocase $x = { 2b 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 [0-4] 22 29 2e 69 6e 6e 65 72 48 54 4d 4c } $y = “ 1MB and filesize < 3MB } rule apt_nobelium_html_smuggling_iso { meta: id = “9bd5b626-8ea3-4607-a858-58deff18396c“ version = “1.0“ description = “Detect HTML smuggling with ISO“ hash = “b87073c34a910f20a83c04c8efbd4f43” hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“ source = “SEKOIA“ creation_date = “2022-01-02” modification_date = “2022-01-02“ classification = “TLP:WHITE“ strings: $ = “new Blob“ $ = “.click();“ $ = { 28 [1-20] 2c 22 [1-20] 2e 69 73 6f 22 2c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 63 64 2d 69 6d 61 67 65 22 29 } condition: filesize > 1MB and filesize < 2MB and all of them } rule apt_nobelium_b64_to_Uint8Array { meta: id = “66c9b00b-f021-4115-b9ec-d1e1f491ce72“ description = “Detect Base64 decode to Uint8Array used in NOBELIUM HTML files“ hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“ version = “1.0“ creation_date = “2021-12-02” modification_date = “2021-12-02“ classification = “TLP:WHITE“ source=“SEKOIA“ strings: $a1 = “atob(“ $l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b } 12/16 $l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b } $a2 = “new Uint8Array“ condition: $l0 in (@a1..@a2) and $l1 in (@a1..@a2) and filesize > 1MB and filesize < 3MB } import “pe“ rule apt_nobelium_cs_loader_obfuscation { meta: id = “5f21b031-3dc1-4dad-b775-6099bfcb0472“ version = “1.0“ description = “Detect obfuscated CobaltStrike loaders used by NOBELIUM” hash = “41dd8cee47c036e7e9e92c395c5d1feb“ hash = “4365057ef0c5a9518d95d53eab5995a8“ source = “SEKOIA“ creation_date = “2022-01-04“ modification_date = “2022-01-04“ classification = “TLP:WHITE“ strings: $j1 = { DD 05 ?? ?? ?? ?? DD 9D } $j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 } $c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF } condition: pe.characteristics & pe.DLL and pe.number_of_exports > 20 and filesize > 300KB and filesize < 400KB and #j1 > 50 and #j2 > 50 and #c1 == 2 } Sigma rule 13/16 id: d9114938-6877-48d8-a785-bc07cb7220ff title: PowerShell invoking in the command line a registry value to execute. description: Detects a d9114938 execution which grabs a value in the windows registry to execute it. references: – MD5 hash: b84c00ae9e7f9684b36d75a1a09f8210 – MD5 hash: 054940ba8908b9e11f57ee081d1140cb status: experimental author: ‘SEKOIA.IO’ date: 2022/01/03 tags: – attack.T1059.001 logsource: category: process_creation product: windows detection: selection: Image|contains: ‘powershell’ CommandLine|contains: ‘HKCU’ selection2 CommandLine|contains: – ‘invoke-expression’ – ‘iex’ CommandLine|contains: – ‘gp’ – ‘Get-ItemProperty’ condition: selection and selection2 level: medium Registry Keys HKCU\SOFTWARE\MSOffice\Version HKCU\SOFTWARE\MSOffice\path HKCU\SOFTWARE\JavaSoft\Ver HKCU\SOFTWARE\JavaSoft\Ver2 CobaltStrike configurations 14/16 Configuration of the CobaltStrike beacon launched from the Iranian decoy (from 1768.py, Didier Stevens’ tool): Config found: xorkey b’.’ 0x00000000 0x000041f0 0x0001 payload type 0x0001 0x0002 8 windows-beacon_https- reverse_https 0x0002 port 0x0001 0x0002 443 0x0003 sleeptime 0x0002 0x0004 60000 0x0004 maxgetsize 0x0002 0x0004 1398104 0x0005 jitter 0x0001 0x0002 30 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bb 0x0008 server,get-uri 0x0003 0x0100 ‘midcitylanews.com,/news/update/aaa’ 0x000e SpawnTo 0x0003 0x0010 (NULL …) 0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’ 0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’ 0x001f CryptoScheme 0x0001 0x0002 0 0x001a get-verb 0x0003 0x0010 ‘GET’ 0x001b post-verb 0x0003 0x0010 ‘POST’ 0x001c HttpPostChunk 0x0002 0x0004 0 0x0025 license-id 0x0002 0x0004 1359593325 0x0026 bStageCleanup 0x0001 0x0002 0 0x0027 bCFGCaution 0x0001 0x0002 0 0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’ 0x000a post-uri 0x0003 0x0040 ‘/form/sent/ppw’ 0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’ 0x000c http_get_header 0x0003 0x0200 Content-Type: text/html Cache-Control: no-cache v1.5472 0x000d http_post_header 0x0003 0x0200 !Content-Type: multipart/form-data Cache-Control: no-cache /.jpg 0x0036 HostHeader 0x0003 0x0080 (NULL …) 0x0032 UsesCookies 0x0001 0x0002 0 0x0023 proxy_type 0x0001 0x0002 2 IE settings 0x003a 0x0003 0x0080 ‘\x00\x05\x90’ 0x0039 0x0003 0x0080 ‘\x00\x05p’ 0x0037 0x0001 0x0002 0 0x0028 killdate 0x0002 0x0004 0 0x0029 textSectionEnd 0x0002 0x0004 0 0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE 0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ 0x002d process-inject-min_alloc 0x0002 0x0004 17500 0x002e process-inject-transform-x86 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’ 0x002f process-inject-transform-x64 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’ 0x0035 process-inject-stub 0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’ 0x0033 process-inject-execute 0x0003 0x0080 15/16 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\ 0x0034 process-inject-allocation-method 0x0001 0x0002 1 0x0000 Guessing Cobalt Strike version: 4.1+ (max 0x003a) Configuration of the CobaltStrike beacon launched from the Turkish decoy (from 1768.py, Didier Stevens’ tool): Config found: xorkey b’.’ 0x00000000 0x0000bff0 0x0001 payload type 0x0001 0x0002 8 windows-beacon_https- reverse_https 0x0002 port 0x0001 0x0002 443 0x0003 sleeptime 0x0002 0x0004 60000 0x0004 maxgetsize 0x0002 0x0004 1398104 0x0005 jitter 0x0001 0x0002 30 0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be0ed930ab8ecb86facd6419bb 0x0008 server,get-uri 0x0003 0x0100 ‘dom-news.com,/info/www/robot’ 0x000e SpawnTo 0x0003 0x0010 (NULL …) 0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\syswow64\\dllhost.exe’ 0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\sysnative\\dllhost.exe’ 0x001f CryptoScheme 0x0001 0x0002 0 0x001a get-verb 0x0003 0x0010 ‘GET’ 0x001b post-verb 0x0003 0x0010 ‘POST’ 0x001c HttpPostChunk 0x0002 0x0004 0 0x0025 license-id 0x0002 0x0004 1359593325 0x0026 bStageCleanup 0x0001 0x0002 0 0x0027 bCFGCaution 0x0001 0x0002 0 0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’ 0x000a post-uri 0x0003 0x0040 ‘/assets/image/awd’ 0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\x00\x00\x00\x04\x00\x00\x00\x03’ 0x000c http_get_header 0x0003 0x0200 Content-Type: text/html Cache-Control: no-cache .html Cookie 0x000d http_post_header 0x0003 0x0200 Content-Type: image/jpeg Accept-Encoding: gzip, deflate Cache-Control: no-cache /.png 0x0036 HostHeader 0x0003 0x0080 (NULL …) 0x0032 UsesCookies 0x0001 0x0002 1 0x0023 proxy_type 0x0001 0x0002 2 IE settings 0x003a 0x0003 0x0080 ‘\x00\x05\x90’ 0x0039 0x0003 0x0080 ‘\x00\x05p’ 0x0037 0x0001 0x0002 0 0x0028 killdate 0x0002 0x0004 0 0x0029 textSectionEnd 0x0002 0x0004 0 0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE 0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ 0x002d process-inject-min_alloc 0x0002 0x0004 17500 16/16 0x002e process-inject-transform-x86 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’ 0x002f process-inject-transform-x64 0x0003 0x0100 ‘\x00\x00\x00\x02\x90\x90’ 0x0035 process-inject-stub 0x0003 0x0010 ‘\x0câõTDäy5\x16µ¯ég¾\x92U’ 0x0033 process-inject-execute 0x0003 0x0080 ‘\x06\x00&\x00\x00\x00\x06ntdll\x00\x00\x00\x00\x13RtlUserThreadStart\x00\x01\x08\x07\ 0x0034 process-inject-allocation-method 0x0001 0x0002 1 0x0000 Guessing Cobalt Strike version: 4.1+ (max 0x003a) Chat with our team! Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us! Contact us https://www.sekoia.io/en/contact/