Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444

• Threat Actors Infrastructure (VT Analysis).
• Pivoting from 45.147.229[.]242
• Pivoting from 104.194.10[.]21
• Pivoting from 45.153.240[.]220
• Short summary and IOC’s.

Threat Actors Cobalt Strike C2 Infrastructure

Cobalt Strike C2 Infrastructure possibly attributed to CVE-2021-40444

Threat Actors Infrastructure (VT Analysis)

The starting point is from the TrendMicro blog. I will take a look at joxinu[.]com, dodefoh[.]com, and pawevi[.]com, and I will try to find out if the Threat Actor deployed additional C2’s on the same hosting provider, subnets, and IP range.

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.ht…