Tricks, Treats, and Threats: Cobalt Strike & the Goblin Lurking in Plain Sight

In the spirit of Halloween, a recent open directory discovery offers a curious combination of tools-Cobalt Strike, Goblin, and BrowserGhost. These names may evoke a playful twist, but each represents serious capabilities often leveraged by red teams and adversaries. This collection of sinister tools sits waiting in the open, much like treats left out on Halloween night-but for those who wander into this directory, the tricks are lurking, too.

Summary of Findings:

• An open directory exposed Cobalt Strike 4.2, a widely used post-exploitation framework, exploit code targeting vulnerabilities (CVEs) dating back to 2014.
• BrowserGhost, is a red team tool for extracting saved passwords from web browsers, suggesting a focus on credential theft.
• The open-source Goblin phishing tool possibly used to target Chinese-speaking educational platforms and steal user credentials.

A Curious Encounter: Analyzing the Open Directory

The open directory hosted at 199.187.25[.]57:8899 on Cloudie Limited's ASN in Hong Kong provided a unique glimpse into a collection of tools likely used for malicious purposes. Among the contents was Cobalt Strike version 4.2, released in November 2020, a folder named "goblin," which we'll cover later, and logs capturing command history and output.

The server, likely running a Linux-based operating system, hosted the directory using Python 3.8.10 SimpleHTTP version 0.6. Beyond the directory contents, Hunt scanners identified several Cobalt Strike team servers on ports 88, 4343, and 5555. An Nginx web server on port 80 responded with a 404 error displaying a "Site Not Found" message in Simplified Chinese.

Interestingly, the watermark extracted from the beacon configuration (click the "i" button next to the Cobalt Strike symbol), 1359593325, was seen associated with just 15 other servers according to our visibility. Such a small number of servers sharing this unique identifier suggests a distinct but possibly more extensive managed operation. 

Nested within the cs4.2 folder were additional payloads targeting historical vulnerabilities like CVE-2014-4113 and CVE-2020-0796, Meterpreter, and web shell payloads-evidence of a comprehensive toolkit geared towards exploitation and persistence.

*A complete list of all the IP addresses sharing the watermark can be found at the end of this post. 

On October 15, this server briefly hosted a well-known Cobalt Strike TLS certificate, SHA-256 hash: DFA9B3E8B5E0F229ECB2FB479544650D0B87EB8494CE176714CF4E53DBAFD687 for just one day. The only other IP to share this certificate was 47.108.74[.]30, hosted on Aliyun Computing Co. LTD's ASN, indicating potential shared infrastructure or coordination between two servers/actors.

Goblin's Tricks: Phishing with a Purpose

The Goblin phishing tool, as described in its GitHub project overview, serves as a platform for red and blue team exercises. Goblin operates by proxying traffic to mimic user interactions while remaining unobtrusive, allowing for an authentic simulation of phishing attempts. Its customizable plug-ins and support for embedded JavaScript make it adaptable for legitimate training scenarios and potential malicious use.

A review of Goblin's YAML configuration file in the directory reveals that the operator has configured traffic to proxy through yunxiao[.]com, a domain associated with Alibaba Cloud's Yunxiao DevOps platform, and laoshanedu.cn. While the purpose behind this setup remains unclear, our analysis failed to reveal any injected JavaScript or identifiable phishing targets. 

Further analysis revealed that laoshanedu[.]cn was registered in November 2023 with Beijing Xinnet Digital Information Technology Co., Ltd. and used nameservers from xincache[.]com. Using an education-based naming format and recent setup suggests the domain may serve as a plausible cover for Goblin, potentially mimicking an educational institution.

BrowserGhost: A Phantom's Approach to Credential Access

The final tool we'll examine, BrowserGhost, is another open-source utility, this time found within the Cobalt Strike folder, designed to extract stored passwords from popular web browsers, including Chrome, Firefox, 360 Extreme, and Edge.

Alongside BrowserGhost, the directory also contained HackBrowserData, a tool specifically built to extract and decrypt sensitive browser information. This combination of tools hints at an operator with a strong interest in harvesting browser-stored credentials, signaling a well-equipped red team or an adversary with a clear focus on data exfiltration from compromised systems.

Closing the Door on a Haunted Directory

In wrapping up our Halloween dive into this open directory, we've highlighted tools like Cobalt Strike, Goblin, and BrowserGhost—each with capabilities that extend from red teaming to potentially darker uses. Our findings highlight how such tools, although often seen in professional settings, can be used for more sinister purposes—a reminder of the treats and tricks still hidden within the cybersecurity threat landscape.

If you want to learn more about these spooky threats and light your Jack-o-lantern against their tricks, get in touch with Hunt.io!

Open Directory Observables

Shared Certificate (Major Cobalt Strike) 

Cobalt Strike Watermark (1359593325) Overlaps