This article is contributed. See the original author and article here.

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL) and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The executable file is designed to side-load the malicious DLL file. The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.

For more information on cyber actors exploiting vulnerabilities in ZCS, see joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite.

Download the PDF version of this report: MAR-10398871-1.v2.WHITE, 372 kb

Submitted Files (3)

233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 (bin.config)

25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 (VFTRACE.dll)

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (vxhost.exe)

Additional Files (1)

3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e (Extracted_CobaltStrike_Beacon)

IPs (1)

207.148.76.235

df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348

Tags

loaderpup

Details
Name vxhost.exe
Size 351240 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4109ac08bdc8591c7b46348eb1bca85d
SHA1 6423d1c324522bfd2b65108b554847ac4ab02479
SHA256 df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
SHA512 0605362190a9cb04a7392c7eae3ef79964a76ea68dc03dfabe6ec8f445f1c355772f2ca8166cbee73188e57bff06b74fb2cfa59869cb4461fffe1c3589856554
ssdeep 6144:BTMoU0+zvvLIpa8bo5GOc1G41vupWn2rwRGekPHZLZKA1UnmOlm:XUDvvsc80AOc1GYvAW2EGtH5ZKAKmOQ
Entropy 6.471736
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-01-05 08:22:40-05:00
Import Hash b66afb12e84aa5ce621a6635837cadba
Company Name CyberArk Software Ltd.
File Description CyberArk Viewfinity
Internal Name vf_host.exe
Legal Copyright Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved.
Original Filename vf_host.exe
Product Name CyberArk Viewfinity
Product Version 5.5.10.101
PE Sections
MD5 Name Raw Size Entropy
3822119e846581669481aba79308c57c header 1024 2.580725
98ccfff2af4ccaa3335f63592a1fba02 .text 270848 6.543317
9dcc89a0d16e36145bb07924ca260dfe .rdata 50688 5.132125
14d493033fc147f67601753310725b2b .data 5632 3.711689
615729d1383743a91b8baf309f1a8232 .rsrc 16896 4.839559
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Relationships
df847abbfa… Used 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51
Description

This artifact is a 32-bit executable file that has been identified as a version of vf_host.exe from Viewfinity and is benign. The file is used to side-load a DLL, vftrace.dll “058434852bb8e877069d27f452442167”.

25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51

Tags

loadertrojan

Details
Name VFTRACE.dll
Size 78336 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 058434852bb8e877069d27f452442167
SHA1 026d81090c857d894aaa18225ec4a99e419da651
SHA256 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51
SHA512 602ad76d61e97d72d983083768eba32d3ad549ac1c763a9b39092feaef8bd4d186df18b6f91992ac8da517e86b84aaa2422da700798a65f4383ed997f52744e3
ssdeep 1536:carhs4oc7yABoxjo5p+Ocyk7P0Okmu4dJsWxcdbbZFUZAUZpw/:ndy8oxjS+Ocyk7sMzCbVFUZAULW
Entropy 6.278601
Antivirus
Adaware Gen:Variant.Bulz.429221
Avira TR/Agent.bjbhb
Bitdefender Gen:Variant.Bulz.429221
Cyren W32/ABRisk.LHKD-1052
ESET a variant of Win32/Agent.AELW trojan
Emsisoft Gen:Variant.Bulz.429221 (B)
IKARUS Trojan.Win32.Agent
K7 Trojan ( 00595a621 )
Symantec Trojan.Gen.MBT
Zillya! Trojan.Agent.Win32.2882847
YARA Rules
  • rule CISA_10398871_01 : trojan loader COBALTSTRIKE
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10398871”
           Date = “2022-09-29”
           Last_Modified = “20221001_1200”
           Actor = “n/a”
           Category = “Trojan Loader”
           Family = “COBALTSTRIKE”
           Description = “Detects CobaltStrike Loader samples”
           MD5=”058434852bb8e877069d27f452442167″
           SHA256=”25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51″
       strings:
           $s1 = { 62 69 6E 2E 63 6F 6E 66 69 67 }
           $s2 = { 56 46 54 52 41 43 45 }
           $s3 = { FF 15 18 D0 00 10 }
           $s4 = { FF 15 28 D0 00 10 }
           $s5 = { 8B 55 EC 03 55 F4 0F B6 02 33 45 E4 }
       condition:
           uint16(0) == 0x5A4D and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2022-06-20 05:36:32-04:00
Import Hash 6677de6818bcf597d512ad4ddaea3f53
Company Name CyberArk Software Ltd.
File Description CyberArk Viewfinity
Internal Name VFTRACE.dll
Legal Copyright Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved.
Original Filename VFTRACE.dll
Product Name CyberArk Viewfinity
Product Version 5.5.10.101
PE Sections
MD5 Name Raw Size Entropy
ef4a8b161c3676b052755f8c0bf9f3bd header 1024 2.828221
48afd9b4ef10b5f14b2c10c9581cbc2d .text 45568 6.611882
f99c54571592839d48904df07f921829 .rdata 24064 4.990721
8a5c1764d3d68e0963003dd46f3b905e .data 2560 1.834913
1e0c952d3a72e7edcda3b58acd829b6b .rsrc 1536 3.799739
41dfd851e9053a3876aa86212cd5d4a1 .reloc 3584 6.485745
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???)
Relationships
25da610be6… Used_By df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
25da610be6… Used 233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91
Description

This artifact is a malicious 32-bit DLL file loaded by “vxhost.exe” (4109ac08bdc8591c7b46348eb1bca85d). This file is designed to search and load an encrypted file “%current directory%bin.config” (be2b0c387642fe7e8475f5f5f0c6b90a) if installed on the compromised system. It decrypts the file using the hard-coded XOR key “0x401”. The decrypted binary contains a Cobalt Strike Beacon DLL that has an embedded shellcode inside of the MZ header. It copies the Cobalt Strike Beacon DLL into a buffer and executes the shellcode.

Screenshots