Select Page

A malicious campaign has been found leveraging a technique called domain fronting to hide command-and-control traffic by leveraging a legitimate domain owned by the Myanmar government to route communications to an attacker-controlled server with the goal of evading detection.

The threat, which was observed in September 2021, deployed Cobalt Strike payloads as a stepping stone for launching further attacks, with the adversary using a domain associated with the Myanmar Digital News network, a state-owned digital newspaper, as a front for their Beacons.

“When the Beacon is launched, it will submit a DNS request for a legitimate high-reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker-controlled host,” Cisco Talos researchers Chetan Raghuprasad, Vanja Svajcer, and Asheer Malhotra said in a technical analysis published Tuesday.

Originally released in 2012 to address perceived shortcomings in the popular Metasploit penetration-testing and hacking framework, Cobalt Strike is a popular red team software that’s used by penetration testers to emulate threat actor activity in a network.

But as the utility simulates attacks by actually carrying out these attacks, the software has increasingly emerged as a formidable weapon in the hands of malware operators, who use it as an initial access payload that enables the attackers to carry out a diverse array of post-exploitation activities, including lateral movement and deploy a wide range of malware.

images from Hacker News