COBALT AGORA
Objectives
Tools
SUMMARY
Active since at least 2019, COBALT AGORA focuses on organizations in the United Arab Emirates. This group operates custom malware families, such as SheepTransportShell webshell, G0Dx PowerShell RAT and SPLSVC powershell pipeserver, along with legitimate tools commonly abused by other threat actors including ProcDump, PuTTY and Ngrok.
COBALT AGORA has been documented by several vendors using CVE-2020-0688 to obtain unauthorized access to vulnerable Exchange services throughout 2020. CVE-2020-0688 requires authenticated access to exploit and COBALT AGORA has demonstrated the ability to obtain and leverage credentialed access to execute exploits and obtain remote access using existing legitimate solutions deployed within the target environment.
SheepTransportShell (TransportClient.dll) is a webshell written in C# that can execute commands directly via cmd.exe or can send commands to the 'splsvc' named pipe. SheepTransportShell is installed as an IIS module using the Appcmd.exe tool. This is reminiscent of RGDOOR used by COBALT LYCEUM and COBALT GYPSY.
The G0Dx malware, a basic RAT written in PowerShell, has been in use since 2019 and has changed little in that time. G0Dx can be delivered directly following an intrusion or via phishing using a malicious self-extracting archive that presents the user with a PDF while installing the malware in the background.
COBALT AGORA uses scheduled tasks for persistence of scripts often using a Google or Chrome theme for the task name. Elements of COBALT AGORA activity are document in the public blog https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.