Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444

Michael Koczwara
11 min readSep 12, 2021
  • Threat Actors Infrastructure (VT Analysis).
  • Pivoting from 45.147.229[.]242
  • Pivoting from 104.194.10[.]21
  • Pivoting from 45.153.240[.]220
  • Short summary and IOC’s.
Threat Actors Cobalt Strike C2 Infrastructure

Threat Actors Infrastructure (VT Analysis)

The starting point is from the TrendMicro blog. I will take a look at joxinu[.]com, dodefoh[.]com, and pawevi[.]com, and I will try to find out if the Threat Actor deployed additional C2’s on the same hosting provider, subnets, and IP range.

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.ht

--

--

No responses yet