Kolobko

Kolobko is a Windows malware/backdoor family identified by Cisco Talos during the May 2022 Cisco intrusion. Cisco released ClamAV detections for both an exploit and backdoor component: Win.Exploit.Kolobko-9950675-0 and Win.Backdoor.Kolobko-9950676-0. The malware was used after the attackers obtained initial access through compromised employee credentials, which were stolen from a personal Google account with Chrome password sync enabled, and then leveraged vishing and MFA fatigue to gain VPN access. In the intrusion, the threat actor was assessed with moderate-to-high confidence to be an initial access broker with ties to UNC2447 and Lapsus$, with observed links to Yanluowang ransomware operators; no ransomware was deployed.

The backdoor was described as a simple command-execution implant that retrieved JSON-formatted commands from attacker-controlled C2 infrastructure and executed them via the Windows Command Processor. Supported commands included DELETE_SELF and WIPE, with WIPE removing the last executed command from memory to hinder forensic analysis. It polled C2 over HTTP using requests to /bot/cmd.php?botid=%.8x and /bot/gate.php?botid=%.8x approximately every 10 seconds, received SHA256-hash responses, used a Microsoft Edge/Chrome-like Windows 10 user-agent string, and created a bdata.ini file derived from the system volume serial number. Cisco observed the backdoor running from C:\users\public\win\cmd.exe, and noted the attackers commonly staged tools under the Public user profile.

The broader intrusion involved deployment of remote access tools such as LogMeIn and TeamViewer, and offensive tooling including Cobalt Strike, PowerSploit, Mimikatz, Impacket, adfind, and secretsdump. The attackers escalated privileges, enrolled new MFA devices, pivoted through Citrix, accessed domain controllers, dumped credentials and registry hives, enabled RDP, established persistence via IFEO debugger keys for narrator.exe and sethc.exe, and attempted to clear forensic evidence with wevtutil.exe. Confirmed exfiltration was limited to a non-sensitive Box folder and Active Directory authentication data. Reported indicators associated with the campaign included domains such as ciscovpn1[.]com and cisco-helpdesk[.]cf, and the email address costacancordia[@]protonmail[.]com.