Hunting Cobalt Strike LNK Loaders
Introduction
This blog is to showcase a new tool I have released that extends the search functionality for Malware Bazaar by abuse.ch. The idea of the tool is to allow the user to intuitively use multiple search filters at once. It is not perfect, as there is a quirk can can produce false negatives, and not all search parameters are supported; however, it should still be useful to quickly find malware with specific properties.
The tool can be found here: https://github.com/montysecurity/malware-bazaar-advanced-search
Getting Cobalt Strike Samples
The code works by splitting the search parameters into their own separate queries and pulling the results, then cross-referencing the results with each other.
The default functionality is only to list the number of matches, as can be seen below.
python.exe .\search.py -s "file_type:lnk signature:CobaltStrike"
To download the hashes, add the --download-all flag and they will be placed in a directory called “samples”.
python.exe .\search.py -s "file_type:lnk signature:CobaltStrike" --download-all
Here we see all the samples downloaded and moved to a Remnux VM. To unzip them, use 7z x with the password “infected”.
Analyzing the Loaders
We see the first one uses IEX and WebClient to download and execute a second payload.
The second one reads a local file in the same directory and then pipes it to Invoke_Expression. This suggests they payload was shipped with the .log file and this file contained more PowerShell code.
The 3rd one is using arithmetic in VBS to obfuscate an mshta.exe command to download and run the second stage.
The last one uses rundll32.exe proxy execution to execute cmd.exe and use a series of conditionals to determine what payload to run.
Conclusion
While we did some basic analysis of the suspected Cobalt Strike loaders, the main point of this post is to demonstrate a potential use case for the tool; that is, searching for recent malware samples that have specific properties, all without needing an API key.
