Hunting for Leaked Cobalt Strike v4.9 servers

News about a leak of Cobalt Strike v4.9 broke out on 2023-10-09 and there seems to be two versions, one appears to be leaked by an actor that goes by alias "pwn3rzs" and the other one is allegedly available on a Chinese website.

We got our hands on the "pwn3rzs" leak and started playing around and searching for indicators. We noticed that it contains a script which does minor checks and applies some configurations. Then, it proceeds to run the CS Team Server. The configuration introduced contains several changes but what caught our eyes is generating an SSL/TLS certificate. This certificate is used later by the "Team Server".

Taking a close look at the parameters passed to the keytool command, we noticed multiple indicators that we can utilize to build detection rules to identify the infra being used by a threat actor who decided to utilize this leaked version of CS without introducing any changes on the configuration (specifically the SSL/TLS certificate parameters)

The indicators we extracted are as follows:

1. The "Team Server" will be running at port 50050
2. The service on that port will be utilizing the generated SSL/TLS certificate with the following values:

We attempted to test our detection rules in the wild and we already got multiple hits:

We decided to pivot from identified certificate(s) to corresponding host(s) and found two servers:

We verified the served SSL/TLS certificate manually and we can confirm it matches the indicators collected from the leak.

C2 Servers:

1. 101[.]43[.]241[.]60
2. 23[.]224[.]131[.]86

SSL Certificate Indicators:

Leaked File Hashes

Authors:

- Humoud Al Saleh
- Majid Alqabandi