Malicious Campaign Analysis: JScript RAT and CobaltStrike

June 7, 2024, 9:37 a.m.

Description

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contacts a command and control (C&C) server to retrieve a second-stage loader. This loader employs WinHttpRequest and RC4 encryption to obtain the main RAT component, a JScript-based malware that maintains persistent communication with the C&C for receiving additional instructions. The report provides technical analysis of the malware components and speculates on potential connections to simulated attacks or threat actor testing based on observed IP ranges.

External References

https://www.gdatasoftware.com/blog/2024/06/37955-jscript-rat-and-cobaltstrike
https://otx.alienvault.com/pulse/6662cbdae470a522b56a7dff
Tags
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat

Date

  • Created: June 7, 2024, 8:59 a.m.
  • Published: June 7, 2024, 8:59 a.m.
  • Modified: June 7, 2024, 9:37 a.m.

Indicators

  • c1f3e0ac0304f947fdd617c3972f4388c13cd23639f486d530ab1b3a5d5f971f
  • b3c38e68a626f8f1e5893cd157b697a4b871153230f6658f0d34a8eba929cdbf
  • 87852d6fdfe29086212810bf0f8e769bac46ad462cab145bf5543eab988c7d3b
  • 76aa4f684481d2072ce85d80b14a2660bc912dcc47c787faad44cc21f01d7b9a

Attack Patterns

  • JScript RAT
  • T1053.005
  • T1059.001
  • T1059.007
  • T1071.001
  • T1105
  • T1219
  • T1140
  • T1027
  • T1059