The C2 server has two self-signed SSL certificates with the serial numbers 65328157968798068766544761773100 that are valid from Jto July 14, 2023, according to the findings of a Shodan search. It is based in the Netherlands and a part of the Alibaba cloud infrastructure and has the IP address 18522573238. Talos found the Ubuntu Linux version 18.04-powered C2 server used in this campaign. Attacker-controlled bitbucket repository. The account “atlasover” was active during the time of our study and provided us with hosting details for some of the malicious files used in this campaign. These addresses are under the control of two attackers. The following Bitbucket address the associated with this campaign: httpsbitbucketorg/atlasover/atlassiancore/downloads and httpsbitbucketorg/clouchfair/oneproject/downloads. (CISCO labs) Malicious repositoryĬobalt Strike DLLs and malicious DOTM templates were hosted on Bitbucket by the campaign’s attacker using various identities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |