A cyber security blog

Hunting for Leaked Cobalt Strike v4.9 servers

News about a leak of Cobalt Strike v4.9 broke out on 2023-10-09 and there seems to be two versions, one appears to be leaked by an actor that goes by alias "pwn3rzs" and the other one is allegedly available on a Chinese website.

We got our hands on the "pwn3rzs" leak and started playing around and searching for indicators. We noticed that it contains a script which does minor checks and applies some configurations. Then, it proceeds to run the CS Team Server. The configuration introduced contains several changes but what caught our eyes is generating an SSL/TLS certificate. This certificate is used later by the "Team Server".

teamserver script

Taking a close look at the parameters passed to the keytool command, we noticed multiple indicators that we can utilize to build detection rules to identify the infra being used by a threat actor who decided to utilize this leaked version of CS without introducing any changes on the configuration (specifically the SSL/TLS certificate parameters)

The indicators we extracted are as follows:

  1. The "Team Server" will be running at port 50050
  2. The service on that port will be utilizing the generated SSL/TLS certificate with the following values:
Field Value
Common Name Pwn3rs Striked
Organization Pwn3rs
Organizational Unit AdvancedReversing
Locality or City Around
State or Province Over
Country Name There

We attempted to test our detection rules in the wild and we already got multiple hits:

Searching for the indicators

We decided to pivot from identified certificate(s) to corresponding host(s) and found two servers:

Host 1
Host 2

We verified the served SSL/TLS certificate manually and we can confirm it matches the indicators collected from the leak.

C2 Servers:

  1. 101[.]43[.]241[.]60
  2. 23[.]224[.]131[.]86

SSL Certificate Indicators:

Field Value
Common Name Pwn3rs Striked
Organization Pwn3rs
Organizational Unit AdvancedReversing
Locality or City Around
State or Province Over
Country Name There

Leaked File Hashes

Filename SHA256 SHA1
CobaltStrike 4.9 Client Only Full Theme uCare@Pwn3rzs.7z 31a98200d59d412c8621abcec1a54204e873d0cf3ccddb741a0e1bcc90bc91b1 ac193b5bb51d6fb8067d7d90a8f2a6be76504ce
CobaltStrike 4.9 Cracked uCare@Pwn3rzs.7z 235e31f417f11cff624b3db99ceb35f42ac33c9e78a85a06ec5f084d4604b70a 6d18b196d16571c4f4e1e30d79ac2591b279bcb

Authors:

- Humoud Al Saleh
- Majid Alqabandi

Subscribe to Cyphur Blog

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe