Threat update

Google users have been targeted with a typosquatted attack when searching Advanced IP Scanner. When searching for this free network scanner for Windows, users are served with an exploited version of Advanced IP Scanner that injects a CobaltStrike Beacon into the parent process's address space. 

Technical Detail and Additional Info

What is the threat?

CobaltStrike Beacon is a payload, created by CobaltStrike, to model post-exploitation activities in red team or offensive security attacks. Beacon creates a communication channel between the attacker's command-and-control(C2) server and the compromised user's system. It is often disguised and cloaked through traffic on the HTTP/HTTPS or DNS tunnelling making it very difficult to detect. Once the Beacon communication channel is established between the devices, the bad actor can steal data, send commands and spread the Beacon throughout the network. 

Why is it noteworthy?

Attacks of this nature always pose a high security threat to the public because of its stealth, effectiveness, and execution. The bad actors were able to openly market this domain and promote it to Google users without users questioning the search results. The intricacy of the program allows the Beacon to deploy effectively and swiftly by decrypting the Beacon, then injecting it into the parent process's address system. These factors make this payload an emerging threat in the cybersecurity space.

What is the exposure or risk?

The flexibility and cloaking like customization of the CobaltStrike Beacon makes it extremely adaptable to different scopes and attacks. Operators of the Beacon can create different Malleable C2 profiles, which helps it blend into network traffic and hide behind your computer's activities. Bad actors have exploited this feature to make the Beacon avoid various virus and malware security scanners. 

What are the recommendations?

 LBT Technology Group recommends the following actions to limit the impact of downloading CobaltStrike Beacon:

• Maintain proper security checks before downloading software from the internet; double check to make sure the website has proper certifications and is a trusted and official source.
• Ensure you have strong security measures in place such as endpoint protection and network traffic checks.
• Block the following domains: https[:]//adlvanced-ip-scanner[.]com, https[:]//advanced-ip-scanner[.]link, https[:]//advnaced-ip-skanner[.]top, https [:]//advanced-ip[.]org.
• Block the following hashes of the exploited Advanced IP Scanner: 723227f3a71001fb9c0cd28ff52b2636 (MD5) and fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256).
• Block the following hashes of the Cobalt Beacon Shellcode: e12ebfd9f6e8cf6cbd76b229e7bf7492 (MD5) and 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4 (SHA256)

References

 For more in-depth information about the recommendations, please visit the following links:

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-advanced-ip-scanner-installer-delivers-dangerous-cobaltstrike-backdoor/?&web_view=true
• https://www.cobaltstrike.com/product/features/beacon

If you have any questions, please contact LBT's Sales Engineer.