This article is contributed. See the original author and article here.
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Description
CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL) and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The executable file is designed to side-load the malicious DLL file. The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.
For more information on cyber actors exploiting vulnerabilities in ZCS, see joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite.
Download the PDF version of this report: MAR-10398871-1.v2.WHITE, 372 kb
Submitted Files (3)
233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 (bin.config)
25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 (VFTRACE.dll)
df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 (vxhost.exe)
Additional Files (1)
3450d5a3c51711ae4a2bdb64a896d312ba638560aa00adb2fc1ebc34bee9369e (Extracted_CobaltStrike_Beacon)
IPs (1)
207.148.76.235
df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
Tags
loaderpup
Details
Name | vxhost.exe |
---|---|
Size | 351240 bytes |
Type | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 | 4109ac08bdc8591c7b46348eb1bca85d |
SHA1 | 6423d1c324522bfd2b65108b554847ac4ab02479 |
SHA256 | df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 |
SHA512 | 0605362190a9cb04a7392c7eae3ef79964a76ea68dc03dfabe6ec8f445f1c355772f2ca8166cbee73188e57bff06b74fb2cfa59869cb4461fffe1c3589856554 |
ssdeep | 6144:BTMoU0+zvvLIpa8bo5GOc1G41vupWn2rwRGekPHZLZKA1UnmOlm:XUDvvsc80AOc1GYvAW2EGtH5ZKAKmOQ |
Entropy | 6.471736 |
Antivirus
No matches found.
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date | 2016-01-05 08:22:40-05:00 |
---|---|
Import Hash | b66afb12e84aa5ce621a6635837cadba |
Company Name | CyberArk Software Ltd. |
File Description | CyberArk Viewfinity |
Internal Name | vf_host.exe |
Legal Copyright | Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved. |
Original Filename | vf_host.exe |
Product Name | CyberArk Viewfinity |
Product Version | 5.5.10.101 |
PE Sections
MD5 | Name | Raw Size | Entropy |
---|---|---|---|
3822119e846581669481aba79308c57c | header | 1024 | 2.580725 |
98ccfff2af4ccaa3335f63592a1fba02 | .text | 270848 | 6.543317 |
9dcc89a0d16e36145bb07924ca260dfe | .rdata | 50688 | 5.132125 |
14d493033fc147f67601753310725b2b | .data | 5632 | 3.711689 |
615729d1383743a91b8baf309f1a8232 | .rsrc | 16896 | 4.839559 |
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.? |
Relationships
df847abbfa… | Used | 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 |
Description
This artifact is a 32-bit executable file that has been identified as a version of vf_host.exe from Viewfinity and is benign. The file is used to side-load a DLL, vftrace.dll “058434852bb8e877069d27f452442167”.
25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51
Tags
loadertrojan
Details
Name | VFTRACE.dll |
---|---|
Size | 78336 bytes |
Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5 | 058434852bb8e877069d27f452442167 |
SHA1 | 026d81090c857d894aaa18225ec4a99e419da651 |
SHA256 | 25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51 |
SHA512 | 602ad76d61e97d72d983083768eba32d3ad549ac1c763a9b39092feaef8bd4d186df18b6f91992ac8da517e86b84aaa2422da700798a65f4383ed997f52744e3 |
ssdeep | 1536:carhs4oc7yABoxjo5p+Ocyk7P0Okmu4dJsWxcdbbZFUZAUZpw/:ndy8oxjS+Ocyk7sMzCbVFUZAULW |
Entropy | 6.278601 |
Antivirus
Adaware | Gen:Variant.Bulz.429221 |
---|---|
Avira | TR/Agent.bjbhb |
Bitdefender | Gen:Variant.Bulz.429221 |
Cyren | W32/ABRisk.LHKD-1052 |
ESET | a variant of Win32/Agent.AELW trojan |
Emsisoft | Gen:Variant.Bulz.429221 (B) |
IKARUS | Trojan.Win32.Agent |
K7 | Trojan ( 00595a621 ) |
Symantec | Trojan.Gen.MBT |
Zillya! | Trojan.Agent.Win32.2882847 |
YARA Rules
- rule CISA_10398871_01 : trojan loader COBALTSTRIKE
{
meta:
Author = “CISA Code & Media Analysis”
Incident = “10398871”
Date = “2022-09-29”
Last_Modified = “20221001_1200”
Actor = “n/a”
Category = “Trojan Loader”
Family = “COBALTSTRIKE”
Description = “Detects CobaltStrike Loader samples”
MD5=”058434852bb8e877069d27f452442167″
SHA256=”25da610be6acecfd71bbe3a4e88c09f31ad07bdd252eb30feeef9debd9667c51″
strings:
$s1 = { 62 69 6E 2E 63 6F 6E 66 69 67 }
$s2 = { 56 46 54 52 41 43 45 }
$s3 = { FF 15 18 D0 00 10 }
$s4 = { FF 15 28 D0 00 10 }
$s5 = { 8B 55 EC 03 55 F4 0F B6 02 33 45 E4 }
condition:
uint16(0) == 0x5A4D and all of them
}
ssdeep Matches
No matches found.
PE Metadata
Compile Date | 2022-06-20 05:36:32-04:00 |
---|---|
Import Hash | 6677de6818bcf597d512ad4ddaea3f53 |
Company Name | CyberArk Software Ltd. |
File Description | CyberArk Viewfinity |
Internal Name | VFTRACE.dll |
Legal Copyright | Copyright © 1999-2016 CyberArk Software Ltd. All Rights Reserved. |
Original Filename | VFTRACE.dll |
Product Name | CyberArk Viewfinity |
Product Version | 5.5.10.101 |
PE Sections
MD5 | Name | Raw Size | Entropy |
---|---|---|---|
ef4a8b161c3676b052755f8c0bf9f3bd | header | 1024 | 2.828221 |
48afd9b4ef10b5f14b2c10c9581cbc2d | .text | 45568 | 6.611882 |
f99c54571592839d48904df07f921829 | .rdata | 24064 | 4.990721 |
8a5c1764d3d68e0963003dd46f3b905e | .data | 2560 | 1.834913 |
1e0c952d3a72e7edcda3b58acd829b6b | .rsrc | 1536 | 3.799739 |
41dfd851e9053a3876aa86212cd5d4a1 | .reloc | 3584 | 6.485745 |
Packers/Compilers/Cryptors
Borland Delphi 3.0 (???) |
Relationships
25da610be6… | Used_By | df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 |
25da610be6… | Used | 233bb85dbeba69231533408501697695a66b7790e751925231d64bddf80bbf91 |
Description
This artifact is a malicious 32-bit DLL file loaded by “vxhost.exe” (4109ac08bdc8591c7b46348eb1bca85d). This file is designed to search and load an encrypted file “%current directory%bin.config” (be2b0c387642fe7e8475f5f5f0c6b90a) if installed on the compromised system. It decrypts the file using the hard-coded XOR key “0x401”. The decrypted binary contains a Cobalt Strike Beacon DLL that has an embedded shellcode inside of the MZ header. It copies the Cobalt Strike Beacon DLL into a buffer and executes the shellcode.
Screenshots