2022-08-30 (TUESDAY) - FOLLOW-UP TRAFFIC FROM BUMBLEBEE INFECTION (SLIVER)

NOTES:

• I can't share the full pcap, but I extracted the unidentified TLSv1.3 traffic over TCP port 8557, in case someone can figure out what it is.
• Zip files are password-protected.  If you don't know the password, see the "about" page of this website.

• UPDATE:  I was informed through a trusted source this traffic was caused by malware based on Sliver.

ASSOCIATED FILES:

• 2022-08-30-IPv4-65.20.115.15-TCP-port-8557.pcap.zip   21.0 kB   (21,004 bytes)

 

INDICATORS

FILE USED TO GENERATE THIS INFECTION:

• Powershell script (.ps1) file: link to sample on bazaar.abuse.ch

TRAFFIC:

• Bumblebee HTTPS (TLSv1.2) traffic:  142.11.234.238:443
• Unidentified TLSv1.3 traffic:  65.20.115.15:8557
• Cobalt Strike HTTPS (TLSv1.3) traffic:  23.19.58:94:443
• Cobalt Strike HTTPS (TLSv1.3) traffic:  23.81.246.152:443

 

IMAGES

Shown above:  Traffic from the infection filtered in Wireshark.

 

 

Shown above:  TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557.

 

 

Shown above:  TCP stream of the unidentified TLSv1.3 traffic over TCP port 8557 kept alive while victim host was active.

 

 

Click here to return to the main page.