Report summary
Our Global Threat Intelligence Center (GTIC) has been tracking Vermillion Strike actors since mid-2021. You can read our previous research here.
Over the past two weeks, the same actors have been ramping up a new campaign. The actors have updated domains (microsoftkernel[.]com and microsofthk[.]com) previously used for Vermillion Strike campaigns to a new IP address. The domains have been active for the first time in several months. Additionally, we established a relationship between the Vermillion Strike infrastructure and a tracked Cobalt Strike jumphost, linking the activity of the two infrastructures.
Increased traffic and the reactivation of high-value command-and-control (C2) domains strongly indicate a new campaign led by the actors behind Vermillion Strike.
Technical details
A new SoftEther VPN node utilizing a self-signed certificate used in a previous campaign appeared online on 29 January 2022. On 21 January, microsoftkernel[.]com was updated to resolve to 202[.]58[.]104[.]136; due to NTT’s unique visibility and telemetry from our global internet footprint, we were able to observe an Indonesian government organization start to communicate with it before pDNS services pointed to the update on 22 January. On 29 January, the microsofthk[.]com DNS record was updated to 202[.]58[.]104[.]136. Shortly afterwards, the Cobalt Strike jumphost (185[.]191[.]34[.]209) established communication and has maintained a high amount of traffic to date.
Microsoftkh[.]com appears to be only associated with high-level targets. In the previous campaign, only government entities were seen accessing it over port 443, which was the port the SoftEther VPN service was using, likely for exfiltration and remote access. Over the last two weeks, other than the Cobalt Strike jumphost connection, all 443 communication to the SoftEther VPN node have been suspected high-level targets as well.
Threat actors
At this time, we have not yet attributed this campaign to a specific named threat actor group. As we continue to investigate this campaign and discovers more details, we will update this research with further relevant details as possible.
Target
We previously observed Vermillion Strike only targeting government entities. Recently, we’ve observed the campaign also impacting organizations in the education and telecommunications industries. IPs from Thailand and Taiwan accessed the new host via port 443, with the earliest connections beginning 19 January 2022.
Tactics, techniques, procedures
Cobalt Strike – a legitimate and commercially available advanced penetration tool first released in 2012; covers the full MITRE ATT&CK tactics. Marketed for adversary simulations, Red Team operations and penetration testers and aimed against the Windows platform, Cobalt Strike allows for the emulation of advanced threat actor post-exploitation activities.
However, threat actors use stolen versions of the tool in their attacks to achieve advanced capabilities they may not otherwise be capable of.
Notably, Cobalt Strike’s Beacon component allows operators to model advanced attack behavior including execution of various scripts, downloading of files, privilege escalation and recording keystrokes and screenshots, as well as spawning additional payloads. Additionally, Cobalt Strike can leverage other tools’ capabilities, such as Mimikatz.
In 2021, threat actors recreated and released a version of Cobalt Strike for Linux dubbed Vermillion Strike.
Campaign and event timeline
19 January 2022
An organization in Thailand started connecting to the Vermillion Strike host over port 443
29 January 2022
microsofthk.com DNS record updated to 202.58.104.136. The Cobalt Strike jumphost established communication shortly after
21 January 2022
microsoftkernel.com updated to resolve to 202.58.104.136
Recommendation
We help clients detect, prevent and remediate Cobalt Strike infections via our Threat Detection services delivered from multiple 24/7 SOCs around the world.
Customers using our Cyber Threat Sensor-AI (CTS-AI), our AI-powered network detection and response tool for AWS applications and data in the cloud will already have received early access to enhanced protection from our threat intelligence and monitoring in advance of this publication.
Our GTIC provides automated indicator sharing to enhance our Threat Detection service coverage. This provides early visibility and improves threat detection to support our Managed Security Services (MSS) customers. Should you require further assistance or investigation, please reach out to our Security Consulting Services to engage our Digital Forensics & Incident Response team.
Mitigation and remediation
We also recommend adopting the following MITRE ATT&CK Mitigations to reduce the risk of compromise by Cobalt Strike. We recommend utilizing the following defense mitigations:
| Mitigation ID | Mitigation name | ATT&CK description |
|---|---|---|
| M1016 | Vulnerability Scanning | Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. |
| M1017 | User Training | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
| M1027 | Password Policies | Set and enforce secure password policies for accounts. |
| M1030 | Network Segmentation | Architect sections of the network to isolate critical systems, functions, or resources. |
| M1031 | Network Intru- sion Prevention | Use intrusion detection signatures to block traffic at network boundaries. |
| M1032 | Multi-Factor Authentication | Use two or more pieces of evidence to authenticate to a system. |
| M1037 | Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
| M1040 | Behavior Prevention on Endpoint | Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. |
| M1047 | Audit | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1049 | Antivirus/ Antimalware | Use signatures or heuristics to detect malicious software |
| M1051 | Update Software | Perform regular software updates to mitigate exploitation risk. |
| M1053 | Data Backup | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. |
References https://hello.global.ntt/-/media/ntt/global/insights/white-papers/vermilion-strike-report.pdf https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader- campaign-exploits-microsofts-signature-verification-putting-users-at-risk/ https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/
Technical indicators
C2 Domains
- microsoftkernel.com
- microsofthk.com
CobaltStrike
104[.]168.165.125 • 118[.]107.43.207 - https:// ejv8xluugf.execute-api.ap-east-1. amazonaws[.]com/api/fetch
- 128[.]199.223.60
- 128[.]199.228.141
- 137[.]220.184.148
- 139[.]162.116.109
- 139[.]180.175.197
- 139[.]59.103.164
- 141[.]164.57.17
- 143[.]198.214.125
- 154[.]202.59.41
- 156[.]232.248.34
- 156[.]232.248.38
- 158[.]247.204.133
- 172[.]104.90.254
- 172[.]105.192.139
- 172[.]245.79.146 - http://172[.]245.79.146:8443/cx
- 182[.]16.54.178
- 182[.]16.54.179
- 182[.]16.54.180
- 182[.]16.54.181
- 182[.]16.54.182
- 192[.]252.180.68
- 192[.]3.128.243
- 193[.]203.12.193
- 210[.]1.226.241
- 216[.]118.246.118
- 47[.]242.26.146
- 47[.]243.179.37
- 47[.]243.230.91
- 47[.]243.24.118
- 52[.]128.229.4
- 52[.]128.229.6
- 8[.]217.74.99
- 8[.]218.134.36
SoftEtherVPN SSL Fingerprint
e2a2a59380dbb0a545fb253cd 334c7f216c20cc6ac821c88e5a 71a0ff18fd14f
About the Global Threat Intelligence Center
The Global Threat Intelligence Center (GTIC) protects, informs and educates NTT’s clients through the following activities: • Threat research • Vulnerability research • Intelligence fusion and analytics • Communication to NTT Group clients
The GTIC goes above and beyond the traditional pure research organization, by taking their threat and vulnerability research and combining it with their detective technologies development to produce applied threat intelligence. The GTIC’s mission is to protect clients by providing advanced threat research and security intelligence to enable NTT to prevent, detect and respond to cyberthreats.
Leveraging intelligence capabilities and resources from around the world, our threat research is focused on gaining understanding of, and insight into the various threat actors, exploit tools and malware – and the techniques, tactics and procedures (TTP) used by attackers.
Vulnerability research pre-emptively uncovers zero-day vulnerabilities which are likely to become the newest attack vector, while maintaining a deep understanding of published vulnerabilities. With this knowledge, our security monitoring services can more accurately identify malicious activity which is ‘on-target’ to our clients’ infrastructure.
Intelligence fusion and analytics is where it all comes together. The GTIC continually monitors the global threat landscape for new and emerging threats using our global internet infrastructure, clouds and data centers along with third-party intelligence feeds; and works to understand, analyze and enrich those threats using advanced analysis techniques and proprietary tools; and curates and publishes them using the Global Threat Intelligence Platform (GTIP).