Beacon

Attack Pattern updated 4 months ago (2024-06-26T14:16:19.541Z)

Download STIX

Preview STIX

The attack pattern "beacon" refers to a method used by attackers to maintain persistent access to a compromised system. In this case, the red team successfully installed a persistent beacon on Workstation 2 after one user triggered their payload. The attackers utilized an HTTPS Cobalt Strike Beacon, and a version with named channels, to establish and maintain this connection. The beacon communicated with command and control (C&C) servers via DNS and HTTPS, specifically *.dns.artstrailreviews[.]com and wipresolutions[.]com respectively. Despite their success with Workstation 2, the team's attempt to move laterally to SCCM Server 2 via AppDomain hijacking failed as the HTTPS beacon did not call back. The beacon also featured a data store that allowed users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner. This feature, along with the Reflective Loader, provided the attackers with enhanced post-exploitation capabilities. The Reflective Loader was able to resolve and pass system call information to the beacon, overriding the beacon’s default system call resolver. However, it's important to note that the Beacon payload could be exported without a reflective loader, supporting prepend-style User-Defined Reflective Loaders (UDRLs) for more versatile deployment in various environments. The latest release of the beacon has seen significant enhancements to its post-exploitation capabilities. These improvements include support for user-defined reflective loaders (UDRLs), which provide users with greater flexibility and control over the loading process of the Beacon payload. Moreover, there is now the ability to export the Beacon payload without a reflective loader, adding official support for prepend-style UDRLs. There is also support for callbacks in several built-in functions and a new in-Beacon data store. An example of a beacon, shown in Figure 6, begins with a data length of 44-bytes (0x2c), a unique identifier string generated where samp_f86ebe.exe was the filename, DESKTOP-U9SM1U2 was the hostname of the analysis system, and 172.16.189[.]130 (0xAC10BD82) was the system's IP address.

Description last updated: 2024-06-26T14:16:19.499Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cobalt Strike

Ransomware

Malware

Implant

Payload

Loader

Shellcode

Backdoor

Tool

Vpn

Mandiant

Google

Phishing

Source

Windows

Trojan

Microsoft

Proxy

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cobaltstrike Malware is associated with Beacon. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunct	Unspecified	6
The Meterpreter Malware is associated with Beacon. Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a	Unspecified	4
The Cobalt Strike Beacon Malware is associated with Beacon. Cobalt Strike Beacon is a type of malware that has been linked to various ransomware activities. This malicious software has been loaded by HUI Loader in several instances, with different files such as mpc.tmp, dlp.ini, and vmtools.ini being used. A unique feature of this Cobalt Strike Beacon shellc	Unspecified	4
The Reflective Loader Malware is associated with Beacon. A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operat	Unspecified	3
The pythonw.exe Malware is associated with Beacon. Pythonw.exe, a malware that exploits and damages your computer or device, has been identified to execute malicious code on Windows systems. This harmful program infiltrates your system through suspicious downloads, emails, or websites without your knowledge, with the potential to steal personal info	Unspecified	2
The Diceloader Malware is associated with Beacon. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in	Unspecified	2
The Conti Malware is associated with Beacon. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	Unspecified	2
The Carbanak Malware is associated with Beacon. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	Unspecified	2
The Ursnif Malware is associated with Beacon. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for ra	Unspecified	2
The PlugX Malware is associated with Beacon. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2
The Batloader Malware is associated with Beacon. Batloader is a malware downloader posing as installers or updates for legitimate applications such as Microsoft Teams, Zoom, and others. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal	Unspecified	2
The Truebot Malware is associated with Beacon. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2
The Systembc Malware is associated with Beacon. SystemBC is a type of malware that has been heavily used in cyber-attacks, often alongside other malicious software. It was observed being used with Quicksand and BlackBasta in 2023, during attacks attributed to a team deploying BlackBasta. The Play ransomware group also utilized SystemBC as part of	Unspecified	2
The python310.dll Malware is associated with Beacon. Python310.dll is a malicious software (malware) that infiltrates systems by installing a trojanized version of itself and establishing persistence through a run key named "Python". This is achieved by manipulating the value to be "C:\Users\Public\Music\python\pythonw.exe". The malware can enter your	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN12 Threat Actor is associated with Beacon. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware	Unspecified	3
The Lace Tempest Threat Actor is associated with Beacon. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	Unspecified	3
The Pistachio Tempest Threat Actor is associated with Beacon. Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en	Unspecified	2
The Arid Viper Threat Actor is associated with Beacon. Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyber espionage group that has been active since at least 2013, primarily targeting countries in the Middle East. The group's geographical location remains unknown, but it is associated with Palestinian interests and is	Unspecified	2
The FIN7 Threat Actor is associated with Beacon. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Beacon Attack Pattern was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	8 months ago	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
CERT-EU	a year ago	Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice
MITRE	2 years ago	GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
CERT-EU	2 years ago	Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
MITRE	2 years ago	Shining a Light on DARKSIDE Ransomware Operations \| Blog \| Mandiant
CISA	2 years ago	CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks \| CISA
CERT-EU	a year ago	Masters of Mimicry: new APT group ChamelGang and its arsenal
CERT-EU	2 years ago	Supply chain attack hits 3CX VoIP software, drops malware to hosts
SecurityIntelligence.com	a year ago	Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution
MITRE	2 years ago	Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign \| Mandiant
CISA	2 years ago	10398871-1.v2 Zimbra October Update \| CISA
CERT-EU	2 years ago	Web beacons on websites and in e-mail - GIXtools
Securelist	2 years ago	What web beacons are and how they are used on websites and in e-mail
SecurityIntelligence.com	2 years ago	Defining the Cobalt Strike Reflective Loader
Trend Micro	a year ago	Rapture, a Ransomware Family With Similarities to Paradise
CERT-EU	a year ago	Phishing Detection - Cyberint
CERT-EU	a year ago	SafeBreach Coverage for US-CERT Alert (AA23-131A) – Exploit CVE-2023-27350 in PaperCut MF and NG