A malicious campaign has been discovered that uses the domain fronting technique to disguise command-and-control traffic by using a valid Myanmar government domain to redirect communications to an attacker-controlled server in order to avoid detection.
The threat, first detected in September 2021, used Cobalt Strike payloads as a stepping stone for launching subsequent assaults, with the adversary utilising a domain connected with Myanmar Digital News, a state-owned digital newspaper, as a front for its Beacons.
Cobalt Strike is a prominent red team software that penetration testers use to imitate threat actor activity on a network. It was first launched in 2012 to solve alleged flaws in the popular Metasploit penetration-testing and hacking framework.
However, because the tool simulates attacks by actually carrying them out, it has become a formidable weapon in the hands of malware operators, who use it as an initial access payload that allows them to perform a variety of post-exploitation activities, such as lateral movement and the deployment of a wide range of malware.
Although threat actors can purchase Cobalt Strike directly from the vendor’s website for $3,500 per person for a one-year licence, the programme can also be purchased on the dark web via underground hacking forums, or threat actors can obtain cracked, illegal versions of the software.
The Beacon is used to make the initial DNS request to the government-owned host, while the real command-and-control (C2) traffic is discreetly rerouted to an attacker-controlled server, successfully simulating normal traffic patterns in an attempt to avoid detection by security solutions.