Hacking campaign targeting Myanmar found to be using domain fronting to conceal malicious activity

A hacking campaign uncovered has been found to implement the technique of domain fronting to disguise command-and-control traffic by leveraging a valid domain belonging to the Myanmar government with the aim to route transmissions to an attacker-controlled server whilst remaining hidden.   

The campaign which was detected in September 2021 distributed Cobalt Strike payloads as a tactic to gain a foothold in order to deploy further attacks under the disguise of a domain linked to the Myanmar Digital News Network, a state-owned digital newspaper.  

Researchers from Cisco Talos Chetan Raghuprasad,Vanja Svajcer and Asheer Malhotra reported in a technical analysis published on Tuesday that “When the Beacon is launched, it will submit a DNS request for a legitimate high-reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker-controlled host”. 

Released in 2012 to address deficiencies found in the renowned Metasploit penetration-testing and hacking framework, Cobalt Strike is a well-known red team software that is utilised by penetration testers to imitate actions of threat actors in a network.  

However, whilst the software is used to replicate cyberattacks, the software has become increasingly used as an initial access payload to allow threat actors to deploy a range of post-exploitation activities including lateral movement and the further distribution of a range of malware.  

Despite being accessible directly from the vendor’s website for £2596.59 ($3,500) for an annual license per user, Cobalt Strike can also be purchased from hacking forums on the dark web. Threat actors may also use illegitimate versions of the software.  

Regarding the recent campaign, it was detected by Talos that whilst the targeted machine sends an initial DNS request to the government owned host, the actual command-and-control (C2) transmissions is diverted to an attacker-controlled server, successfully replicating legitimate traffic movement to obscure malicious operations from security platforms and solutions.  

Shared by the researchers, “While the default C2 domain was specified as www[.]mdn[.]gov[.]mm, the beacon’s traffic was redirected to the de-facto C2 test[.]softlemon[.]net via HTTP Get and POST metadata specified in the beacon’s configuration” and further specified, “The DNS request for the initial host resolves to a Cloudflare-owned IP address that allows the attacker to employ domain fronting and send the traffic to the actual C2 host test[.]softlemon[.]net, also proxied by Cloudflare”.  

The C2 server is no longer operating and instead functions as a Windows server running Internet Information Services (IIS), stated researchers.  

Outlined by the researchers, “Domain fronting can be achieved with a redirect between the malicious server and the target. Malicious actors may misuse various content delivery networks (CDNs) to set up redirects of serving content to the content served by attacker-controlled C2 hosts.”   

Also reported by researchers, “Defenders should monitor their network traffic even to high reputation domains in order to identify the potential domain fronting attacks with Cobalt Strike and other offensive tools.”