Introduction
The FortiGuard Responder team has observed attempts to employ a proxy execution technique that uses the Microsoft MSBuild to deploy Cobalt Strike beacons throughout customer environments. This technique was also observed and reported by Renato Marinho from Morphus Labs. The C2 infrastructure associated with this activity has also been linked to log4j exploitation earlier in the month although this TTP itself has not been linked with log4j. This article will demonstrate how FortiEDR protects against the use of this proxy execution technique and will analyze a sample observed in the wild that is readily available to validate the protections offered by FortiEDR.
At the time of detection, several samples that employed this proxy execution technique continue to have a very low detection rate on Virus Total with only 6/57 vendors detecting it as malicious and only one correctly identifying the Cobalt Strike implant. Similar samples, to be analyzed later in the article, are more than 6 months old and still have less than 3/57 vendor detection rate.
Figure 1: Sample has a very low detection rate through AV vendors.
The sample above (and the one analyzed in this article) is a project file, which is an XML schema designed to be used to control the creation of an executable. Functionality within the MSBuild process called ‘Tasks’ allows for the execution of arbitrary code alongside the build process to provide flexibility for end users, likely to support the integration of MSBuild in automated build processes. This functionality has been used in the case of the analyzed sample, for proxy execution of a Cobalt Strike beacon.
The sample observed by the FortiGuard Responder team was delivered through an RDP connection then executed directly through GUI access to the ‘Developer Command Prompt’. Whilst overt, this technique would at first glance be indistinguishable from standard activity, especially in environments where software development tools are standard.
Analyzing the sample.
A project file has several key components of note in this sample; Target Name, TaskName and the Task itself. The target name defines the target for the build, in the case of all samples analyzed by the FortiGuard Responder team this had a value of ‘Debug’. The TaskName is the name of a particular task and is references in the Target definition, in the case of all samples analyzed by the FortiGuard Responder team this had a value of ‘ClassExample’. These two sections can be observed in Figure 2 below.
Figure 2: Target Name and TaskName variables common between samples.
The final component is the Task section. The task section defines the task to be executed alongside the build process. In the case of the samples analyzed by the FortiGuard Responder team the Task was the largest section of the project file. The observed tasks were written in C# and contain code to decode, reflectively load and then execute a Cobalt Strike beacon payload. The Cobalt Strike payload is stored in a variable called ‘buff’ and is byte-wise XORed with a 5-8 byte key stored in variable called ‘key_code’. Code snippets of these variables from the proj file can be observed in Figure 3 below.
Figure 3: ‘buff’ and ‘key_code’ byte arrays storing encoded Cobalt Strike beacon and decode key respectively. Note that the ‘buff’ variable takes up the majority of the file contents and has been truncated in the figure.
As the proj file is ‘built’ the ‘ClassExample’ task is executed. This task decodes the ‘buff’ variable to a memory stream which is then reflectively loaded into the hosting MSBuild process, then executed. The section of code responsible for this decode, reflective loading, and execution is shown below in Figure 4.
Figure 4: This code snippet shows how each byte of the ‘buff’ array is XORed against a byte in the ‘key_code’ array in a loop then loaded into memory and executed.
On execution, the Cobalt Strike beacon will reach out to its C2 server per its embedded configuration. The configuration of the beacon can be extracted from the decoded beacon executable using the fantastic Cobalt Strike config parser (https://github.com/Sentinel-One/CobaltStrikeParser). The config extracted from the above-analyzed sample is a simple configuration as shown below in Figure 5, with a single IP as a C2Server and minimal use of additional Cobalt Strike features. A full analysis of a Cobalt Strike configuration is outside the scope of this article and there are already great resources in the Cyber Security community on the topic, but the following article provides a starting point for those wanting to go deeper into extracting and understanding IOCs from this artifact (https://www.mandiant.com/resources/defining-cobalt-strike-components) .
Detecting and Mitigating with FortiEDR
FortiEDR effectively detects and blocks MSBuild proxy execution of malicious payloads like the Cobalt Strike beacon analyzed above out of the box (OOTB) using behavioral detections that form part of its default ruleset. FortiEDR does not whitelist all behavior associated with the process so easily detects anomalous behavior such as network connections and reflective loading, despite the MSBuild executable being known, signed Microsoft executable. In the emulated attack below the sample analyzed above was executed through the Developer Command Prompt whilst FortiEDR was set to ‘Log Only’. In this mode FortiEDR only logs events, it would normally block allowing the sample to execute fully giving us the opportunity to observe the full range of behaviors detected by FortiEDR.
Execution of this sample generated two events from three rules, each triggered by suspicious/malicious behavior that would have been stopped, thwarting this attack if FortiEDR actions had been set to block. These events can be seen below in Figure 6 below.
Figure 6: Events detected by FortiEDR related to MSBuild proxy execution of the malicious proj file analyzed above containing a Cobalt Strike beacon.
The first event above was triggered by the ‘Connection Attempt from a Suspicious Application’ rule in the Exfiltration Prevention Policy. This rule flags on network connections associated with applications that don’t normally create network connections or that have been known to be exploited by adversaries. Exceptions can be made to allow legitimate usage where required. In the case of this events the event was classified as ‘Suspicious’ as FortiGuard Labs threat intelligence feeds flagged the IP address (23.227.178[.]115) as suspicious. FortiEDR’s integration with FortiGuard Labs threat intelligence resources is part of the default configuration.
The second event flagged two behavioral rules both from the Exfiltration Prevention Policy; ‘Dynamic Code – Malicious Runtime Generated Code Detected’ and ‘Unmapped Executable – Executable File without a Corresponding File on Disk’. The first of these rules (Dynamic Code) flagged on the decoded Cobalt Strike beacon being generated in memory at runtime failing file verification. This can be seen in the FortiEDR ‘Stacks View’ within the Forensics tab as shown below in Figure 7.
Figure 7: FortiEDR Stacks View showing the Dynamic Code rule exception related to the decoding of the Cobalt Strike beacon
The second rule (Unmapped Executable) flagged on the Cobalt Strike beacon being reflectively loaded into the MSBuild process. The memory allocated to this unmapped executable can be observed through the ‘Stacks View’ of the Forensics tab as shown in Figure 8 below. FortiEDR can be used to dump the executable from memory for further analysis if required. This is an alternative way of getting the decoded Cobalt Strike beacon rather than decoding the proj file directly.
Figure 8: FortiEDR Stacks View showing the Unmapped Executable rule exception related to the reflective loading of the Cobalt Strike beacon
Threat Hunting with VT
Taking common indicators from the analyzed sample, the FortiGuard Responder team identified a number of similar samples in VirusTotal. Samples go back as far as July 2021 and appear to come in two variants defined by the decoded contents of the ‘buff’ variable; variant one containing a version of BEACON (Cobalt Strike) matching the one analyzed in this article and variant two which contains a Metasploit Meterpreter stager that calls back to adversary C2 to download a Cobalt Strike beacon. Infrastructure (domains and IPs) and TTP (user agent, URL, profile) crossover can be observed between the two variants including over the same time period indicating activity is likely the same actor. Additionally all exported Cobalt Strike payloads share the same product watermark (426352781).
Conclusion
This article has demonstrated how FortiEDR protects against MSBuild based proxy execution of malicious Cobalt Strike beacons and Meterpreter loaders using default rules, policies, and configurations. Generic telemetry-based threat hunting is difficult for this TTP without an understanding of the prevalence of MSBuild usage inside an environment so no Threat Hunting queries have been provided as part of this article.
IOCs for the BEACON payloads have been extracted from the config files using the process outlined above. IOCs for the Meterpreter stagers have been extracted from the shellcode dumped following decoding of the embedded ‘buff’ variables. The majority of the IOCs are known but have been collated and made available at the end of this article for completeness.
Figure 9: Observed host visits for the “hxxp://64.44.139[.]51:8080/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK” webpage for the last three months. Taken from Fortinet Central Threat System (CTS)
It should also be noted that despite some of the IOCs being first observed in October 2021, FortiGuard Labs threat intelligence feeds indicate that the C2 is still being contacted regularly by victims across the globe. Some of this activity is as recent as 28 December 2021 with a significant spike in activity beginning in mid-December from endpoints in India, the US and Europe, as observed in Figure 9 above.
MITRE ATT&CK
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1106 |
Native API |
Observed MSBuild projects analyzed in this article uses direct API calls to reflectively load and execute malicious Cobalt Strike and Meterpreter payloads. |
TA0005 – Defensive Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1127.001 |
Trusted Developer Utilities Proxy Execution: MSBuild |
This article is based on analyzing the exploitation of MSBuild ‘tasks’ feature to perform proxy execution. The identified proj files don’t result in a built application and only exist to exploit this functionality |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1620 |
Reflective Code Loading |
Encoded Cobalt Strike and Meterpreter loaders are decoded and loaded into the MSBuild process directly from memory using .NET functionality (System.Reflection). |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
Both Cobalt Strike and Meterpreter payloads used predominantly HTTP and HTTPS to communicate back to C2 |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.004 |
Application Layer Protocol: DNS |
One of the Cobalt Strike beacon configurations identified the use of HTTP DNS beacon type which results in DNS traffic. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
|
Malicious proj file |
641a82576ce3b0e41d70607ec7178ecf43405385 |
SHA1 |
Execution |
MSBuild project file containing encoded Meterpreter payload |
|
Malicious proj file |
08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1 |
SHA1 |
Execution |
MSBuild project file containing encoded Meterpreter payload |
|
Malicious proj file |
6a1788a84da831d700229702c9ce2d901b505dd1 |
SHA1 |
Execution |
MSBuild project file containing encoded Meterpreter payload |
|
Malicious proj file |
ae68d5f64ba92f8c1740ed32663edbda97dd9472 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
c184668996d03b83c15da389cce3f3bde20a09aa |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
2e0b32bb9bb62a4e4449828db216611f4a95b262 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
6900c8336b20c1e0a0453d2bc243d4937c6b7b09 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon. Note this sample contained a config that uses Hybrid HTTP DNS |
|
Malicious proj file |
8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
25533cc5796a2013296aae200ce7e35027f6775e |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
8d5908a1ae3d7fd5b534700f37694a782fa8d20f |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
Malicious proj file |
1606bb73020c41dfb1256ca4dc57368e89543f21 |
SHA1 |
Execution |
MSBuild project file containing encoded Cobalt Strike beacon |
|
User-Agent String |
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES) |
User Agent String |
Command and Control |
Extracted from Meterpreter payload in 641a82576ce3b0e41d70607ec7178ecf43405385 |
|
C2 IP |
23.227.178[.]115 |
IP Address |
Command and Control |
Extracted from Meterpreter payload in 641a82576ce3b0e41d70607ec7178ecf43405385 |
|
User-Agent String |
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333) |
User Agent String |
Command and Control |
Extracted from Meterpreter payload in 08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1 |
|
C2 IP |
176.121.14[.]47 |
IP Address |
Command and Control |
Extracted from Meterpreter payload in 08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1 |
|
User-Agent String |
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 |
User Agent String |
Command and Control |
Extracted from Meterpreter payload in 6a1788a84da831d700229702c9ce2d901b505dd1 and Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef |
|
C2 IP |
88.119.161[.]120 |
IP Address |
Command and Control |
Extracted from Meterpreter payload in 6a1788a84da831d700229702c9ce2d901b505dd1 |
|
User Agent String |
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08) |
User Agent String |
Command and Control |
Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd |
|
User Agent String |
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) |
User Agent String |
Command and Control |
Extracted from Cobalt Strike config in 1606bb73020c41dfb1256ca4dc57368e89543f21. User agent corresponds to Internet Explorer on Windows XP so anomalous. |
|
C2 URL |
64.44.139[.]51/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK |
URL |
Command and Control |
Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e |
|
C2 URL |
mediaprotectxs[.]org/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK |
URL |
Command and Control |
Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e |
|
C2 URL |
64.44.139[.]51/safebrowsing/qHiUGdv/HnMBjBNdYHDBZBhoscowAdNMzizR8zC |
URL |
Command and Control |
Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e |
|
C2 URL |
mediaprotectxs[.]org/safebrowsing/qHiUGdv/HnMBjBNdYHDBZBhoscowAdNMzizR8zC |
URL |
Command and Control |
Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e |
|
C2 URL |
akametric[.]co/c/msdownload/update/others/2020/10/29136388_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef |
|
C2 URL |
88.119.175[.]251/c/msdownload/update/others/2020/10/29136388_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef |
|
C2 URL |
akametric[.]co/c/msdownload/update/others/2020/10/28986731_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef |
|
C2 URL |
88.119.175[.]251/c/msdownload/update/others/2020/10/28986731_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef |
|
C2 URL |
mftanalytics[.]cloud/messages/u5gmePQBEiwBnYZAtso1aMIsD |
URL |
Command and Control |
Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f |
|
C2 URL |
91.234.254[.]184/messages/u5gmePQBEiwBnYZAtso1aMIsD |
URL |
Command and Control |
Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f |
|
C2 URL |
mftanalytics[.]cloud/messages/kw1ExXHpLDVRhhi8NSRr7Z0-o-c6 |
URL |
Command and Control |
Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f |
|
C2 URL |
91.234.254[.]184/messages/kw1ExXHpLDVRhhi8NSRr7Z0-o-c6 |
URL |
Command and Control |
Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f |
|
C2 URL |
alpha.sync.akamaistats[.]com/c/msdownload/update/others/2020/10/29136388_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09 |
|
C2 URL |
beta.sync.akamaistats.com/c/msdownload/update/others/2020/10/29136388_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09 |
|
C2 URL |
omega.sync.akamaistats[.]com,/c/msdownload/update/others/2020/10/29136388_ |
URL |
Command and Control |
Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09 |
|
C2 URL |
23.227.178[.]115/dpixel |
URL |
Command and Control |
Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd |
|
C2 URL |
23.227.178[.]115/submit.php |
URL |
Command and Control |
Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd and 1606bb73020c41dfb1256ca4dc57368e89543f21 |
|
C2 URL |
23.227.178[.]115/__utm.gif |
URL |
Command and Control |
Extracted from Cobalt Strike config in 1606bb73020c41dfb1256ca4dc57368e89543f21 |
