Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444

Michael Koczwara
11 min readSep 12, 2021
  • Threat Actors Infrastructure (VT Analysis).
  • Pivoting from 45.147.229[.]242
  • Pivoting from 104.194.10[.]21
  • Pivoting from 45.153.240[.]220
  • Short summary and IOC’s.
Threat Actors Cobalt Strike C2 Infrastructure

Cobalt Strike C2 Infrastructure possibly attributed to CVE-2021-40444

Edit description

Threat Actors Infrastructure (VT Analysis)

The starting point is from the TrendMicro blog. I will take a look at joxinu[.]com, dodefoh[.]com, and pawevi[.]com, and I will try to find out if the Threat Actor deployed additional C2’s on the same hosting provider, subnets, and IP range.

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html

Remote Code Execution Zero-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs

Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This…

https://joxinu[.]com

45.147.229[.]242

45.147.229.242

Search Engine for the Internet of Things

VT detection

VirusTotal

VirusTotal

Michael Koczwara

Written by Michael Koczwara

1.3K Followers

Threat Researcher