A malicious campaign has been found leveraging a technique called domain fronting to hide command-and-control traffic by leveraging a legitimate domain owned by the Myanmar government to route communications to an attacker controlled server with the goal of evading detection.

The threat, deployed Cobalt Strike payloads as a stepping stone for launching further attacks, with the adversary using a domain associated with the Myanmar Digital News network, a state-owned digital newspaper, as a front for their Beacons.

Advertisements

When the Beacon is launched, it will submit a DNS request for a legitimate high reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker controlled host.

The execution of the Beacon results in the victim machine sending the initial DNS request to the government-owned host, while the actual C2 traffic is stealthily redirected to an attacker controlled server, effectively mimicking legitimate traffic patterns in an attempt to escape detection by security solutions.

While the default C2 domain was specified as www[.]mdn[.]gov[.]mm, the beacon’s traffic was redirected to the de-facto C2 test[.]softlemon[.]net via HTTP Get and POST metadata specified in the beacon’s configuration.The DNS request for the initial host resolves to a Cloudflare owned IP address that allows the attacker to employ domain fronting and send the traffic to the actual C2 host test[.]softlemon[.]net, also proxied by Cloudflare.

The C2 server, however, is no longer active, according to the researchers, who noted that it’s a Windows server running Internet Information Services (IIS).

Advertisements

Domain fronting can be achieved with a redirect between the malicious server and the target. Malicious actors may misuse various content delivery networks (CDNs) to set up redirects of serving content to the content served by attacker controlled C2 hosts.Defenders should monitor their network traffic even to high reputation domains in order to identify the potential domain fronting attacks with Cobalt Strike and other offensive tools.

IOCs

Hashes

658d550322cefa6efc51fbfd1a3e02839d1e519a20f8f17f01c534c0eaf36f27
e806e55713b9e46dc7896521ffb9a8b3abaa597147ea387ff2e93a2469546ba9
a0aec3e9cb3572a71c59144e9088d190b4978056c5c72d07cb458480213f2964

Network IOCs

Hosts

test[.]softlemon[.]net
dark-forest-002.president[.]workers[.]dev

IP addresses

193[.]135[.]134[.]124

URLs

hxxp://test[.]softlemon[.]net:8081/api/3
hxxp://test[.]softlemon[.]net/
tcp://test[.]softlemon[.]net:8080/
hxxps://193[.]135[.]134[.]124:8443
hxxp://193[.]135[.]134[.]124:8080
hxxp://193[.]135[.]134[.]124:8081