Hackers Exploit Cobalt Strike, SQLMap, and Other Tools to Target Web Applications

A recent cybersecurity incident has highlighted the sophisticated methods used by hackers to target web applications, particularly in South Korea.

The attackers leveraged a combination of tools, including Cobalt Strike, SQLMap, dirsearch, and Web-SurvivalScan, to exploit vulnerabilities and gain unauthorized access to government and commercial entities.

Exploitation Techniques and Tools

The threat actors utilized an open directory hosted on a server in Japan, which was briefly exposed, to manage their operations.

This directory contained a modified version of Cobalt Strike, known as Cobalt Strike Cat, which was delivered via a Rust-compiled Windows executable.

Additionally, the attackers employed SQLMap for SQL injection attacks, dirsearch to brute-force directories, and Web-SurvivalScan for subdomain enumeration.

These tools allowed them to identify vulnerable web applications and exploit SQL vulnerabilities, often resulting in the exfiltration of sensitive data.

The attackers compiled a list of over 1,000 Korean domains, including those belonging to government agencies and private businesses, which were likely used as input for Web-SurvivalScan.

According to the Report, this enabled them to enumerate live subdomains for further analysis and potential exploitation.

A Python script, urls.py, was used to automate the organization of reconnaissance data, streamlining the process of subdomain discovery and supporting follow-on exploitation efforts.

Malware Analysis and Network Observables

The malware analysis revealed that the attackers used Cobalt Strike Cat, a modified version of the popular post-exploitation tool, alongside Marte shellcode delivered via Rust-compiled loaders.

These loaders acted as an intermediate execution layer, decoding and running shellcode instead of dropping a standalone payload to disk.

The network behavior of the malware included unusual redirects, which could be tactics to disrupt analysis or mask communications with command-and-control servers.

The logs from the server indicated active intrusions, with beacon activity from compromised hosts.

The attackers used Scripted Web Delivery to stage payloads and maintain access to victim systems.

The use of SQL injection for initial access highlights the importance of enforcing input validation and applying security patches for web applications to prevent similar attacks in the future.

Organizations should monitor for unusual network traffic and log database queries to detect signs of exploitation attempts.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.