A malicious campaign has been discovered that uses the domain fronting method to disguise command-and-control traffic by using a valid Myanmar government domain to redirect communications to an attacker-controlled server and avoid detection. The threat used Cobalt Strike payloads as a stepping stone for launching subsequent attacks. The adversary employed a domain connected with Myanmar Digital News as a front for its Beacons.
Chetan Raghuprasad, Asheer Malhotra, and Vanja Svajcer of Cisco Talos claimed that when the Beacon is activated, it will make a DNS request for a real high-reputation domain housed on Cloudflare infrastructure, then change the HTTPS requests header to tell the CDN to forward traffic to an attacker-controlled server.
Cobalt Strike is a prominent red team program that penetration testers use to imitate threat actor behavior on a network. It was first launched in 2012 to solve alleged flaws in the famous Metasploit penetration-testing and hacking framework.
However, because the tool simulates attacks by actually carrying them out, it has become a formidable tool in the hands of malware operators, who use it as an initial access payload that allows them to perform a variety of post-exploitation activities, such as lateral movement and the deployment of various malware.
Although cybercriminals can purchase Cobalt Strike directly from the vendor’s website for $3,500 per person for a one-year license, the program can also be purchased on the dark web via underground hacker forums, or threat actors can get cracked, illegal copies of the software.
The Beacon is used to make the first DNS request to the government-owned site. At the same time, the real command-and-control (C2) traffic is discreetly rerouted to an attacker-controlled server, successfully simulating standard traffic patterns in an attempt to avoid detection by security solutions. As per researchers, the C2 server, which is a Windows server running Internet Information Services, is no longer operating (IIS).