The sample includes a loader/packer Dynamic Link Library (DLL) named vpn.sessings that loads a Cobalt Strike Beacon into memory and awaits instructions from the C&C server HKCUSoftwareMicrosoftCommand ProcessorAutoRun: start regsvr32 /s C:vpn.sessings – This would execute the malware every time cmd.exe gets executed.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://www.deepinstinct.com/blog/uncorking-old-wine-zero-day-cobalt-strike-loader
Sample Indicators of Compromise:
976f57442452cd54cada011c565ada0c01f5b1460e31ee6cea330d210d3e8f500bc0e9410f4a9703ff0b5af7ec9383a1cc929572ade09fbd2c69ed2ae1486939b0b762106c22e44f7acaa3177baabd64ea28990d16672e1f902b53f49b2027c4weavesilk.space109.107.178.241
