Beacon

Attack Pattern updated a year ago (2024-06-26T14:16:19.541Z)

Download STIX

Preview STIX

The attack pattern "beacon" refers to a method used by attackers to maintain persistent access to a compromised system. In this case, the red team successfully installed a persistent beacon on Workstation 2 after one user triggered their payload. The attackers utilized an HTTPS Cobalt Strike Beacon, and a version with named channels, to establish and maintain this connection. The beacon communicated with command and control (C&C) servers via DNS and HTTPS, specifically *.dns.artstrailreviews[.]com and wipresolutions[.]com respectively. Despite their success with Workstation 2, the team's attempt to move laterally to SCCM Server 2 via AppDomain hijacking failed as the HTTPS beacon did not call back. The beacon also featured a data store that allowed users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner. This feature, along with the Reflective Loader, provided the attackers with enhanced post-exploitation capabilities. The Reflective Loader was able to resolve and pass system call information to the beacon, overriding the beacon’s default system call resolver. However, it's important to note that the Beacon payload could be exported without a reflective loader, supporting prepend-style User-Defined Reflective Loaders (UDRLs) for more versatile deployment in various environments. The latest release of the beacon has seen significant enhancements to its post-exploitation capabilities. These improvements include support for user-defined reflective loaders (UDRLs), which provide users with greater flexibility and control over the loading process of the Beacon payload. Moreover, there is now the ability to export the Beacon payload without a reflective loader, adding official support for prepend-style UDRLs. There is also support for callbacks in several built-in functions and a new in-Beacon data store. An example of a beacon, shown in Figure 6, begins with a data length of 44-bytes (0x2c), a unique identifier string generated where samp_f86ebe.exe was the filename, DESKTOP-U9SM1U2 was the hostname of the analysis system, and 172.16.189[.]130 (0xAC10BD82) was the system's IP address.

Description last updated: 2024-06-26T14:16:19.499Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cobalt Strike

Ransomware

Malware

Implant

Loader

Payload

Shellcode

Backdoor

Tool

Windows

Vpn

Mandiant

Google

Source

Phishing

Downloader

Trojan

Microsoft

Proxy

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cobaltstrike Malware is associated with Beacon. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct	Unspecified	6
The Cobalt Strike Beacon Malware is associated with Beacon. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon	Unspecified	5
The Meterpreter Malware is associated with Beacon. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once insta	Unspecified	4
The Reflective Loader Malware is associated with Beacon. A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operat	Unspecified	3
The Conti Malware is associated with Beacon. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	Unspecified	2
The Carbanak Malware is associated with Beacon. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	2
The Ursnif Malware is associated with Beacon. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	Unspecified	2
The PlugX Malware is associated with Beacon. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2
The Batloader Malware is associated with Beacon. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	Unspecified	2
The Truebot Malware is associated with Beacon. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Systembc Malware is associated with Beacon. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2
The python310.dll Malware is associated with Beacon. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your	Unspecified	2
The pythonw.exe Malware is associated with Beacon. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info	Unspecified	2
The Diceloader Malware is associated with Beacon. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lace Tempest Threat Actor is associated with Beacon. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	Unspecified	3
The FIN12 Threat Actor is associated with Beacon. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware	Unspecified	3
The Pistachio Tempest Threat Actor is associated with Beacon. Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en	Unspecified	2
The Arid Viper Threat Actor is associated with Beacon. Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyber espionage group that has been active since at least 2013, primarily targeting countries in the Middle East. The group's geographical location remains unknown, but it is associated with Palestinian interests and is	Unspecified	2
The FIN7 Threat Actor is associated with Beacon. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Beacon Attack Pattern was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	a year ago	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
CERT-EU	2 years ago	Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice
MITRE	2 years ago	GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
CERT-EU	2 years ago	Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
MITRE	2 years ago	Shining a Light on DARKSIDE Ransomware Operations \| Blog \| Mandiant
CISA	2 years ago	CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks \| CISA
CERT-EU	2 years ago	Masters of Mimicry: new APT group ChamelGang and its arsenal
CERT-EU	2 years ago	Supply chain attack hits 3CX VoIP software, drops malware to hosts
SecurityIntelligence.com	2 years ago	Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution
MITRE	2 years ago	Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign \| Mandiant
CISA	2 years ago	10398871-1.v2 Zimbra October Update \| CISA
CERT-EU	2 years ago	Web beacons on websites and in e-mail - GIXtools
Securelist	2 years ago	What web beacons are and how they are used on websites and in e-mail
SecurityIntelligence.com	2 years ago	Defining the Cobalt Strike Reflective Loader
Trend Micro	2 years ago	Rapture, a Ransomware Family With Similarities to Paradise
CERT-EU	2 years ago	Phishing Detection - Cyberint
CERT-EU	2 years ago	SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG