Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:Win32/TangentCobra.A!dha is a trojan malware that disguises itself as legitimate software to infiltrate devices.
To mitigate the issue, follow these steps:
Apply security updates promptly, especially for the specified vulnerabilities, on all applications and operating systems. Consult the Microsoft Security Update Guide for comprehensive information on available Microsoft Security updates.
Follow the principle of least privilege and maintain credential hygiene. Avoid using domain-wide, admin-level service accounts. Restrict local administrative privileges to mitigate the potential installation of remote access trojans (RATs) and other undesirable applications.
Network segmentation is useful in constraining the propagation of malware infections. The process involves partitioning a network into smaller segments, effectively confining an infection to a single segment rather than permitting its unrestricted spread across the entire network.
Promote the use of Microsoft Edge and other web browsers that support SmartScreen, a feature identifying and blocking malicious websites, including phishing sites, scam sites, and those hosting exploits or malware.
Block the launch of downloaded executable content by disabling JavaScript or VBScript.
Threat behavior
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
Downloading and uploading files
Enumerating files and folders
Enumerating running processes
Executing arbitrary commands
Gathering system information such as IP address and computer name
Securely deleting files and folders
Connects to a remote host
We have seen this threat connect to a remote host, including the following C2 servers:
xxx
This malware description was published using the analysis of file SHA1 xxx.
SHA1: 9d280e3ef1b180449086dda5b92a7b9bbe63dee4 The above detections relate to the TangentCobra malware. This malware is similar to the DarkNeuron family, but attempts to avoid detection by injecting a DLL into a running process and avoiding writing the main payload to disk. The payload and configuration for TangentCobra is written to the following path on the system volume: \ProgramData\Microsoft\Windows\Caches\ The loader will read in data from this path and decrypted. This data is RC4-encrypted (modified algorithm) using a 32-byte static key truncated to 31 bytes with an appended null byte resulting in: 1B1440D90FC9BCB46A9AC96438FEEA8\x00 It is then reflectively loaded into a target process. An observed payload (internally named oxygen.dll) has SHA1 hash (5ed61ec7de11922582f07c3488ef943b439ee226). An example configuration from the file “config_listen.system” is shown below: proto=https host=+ port=443 param=OWA-AUTODISCOVER-EWS Other data is stored within “ctx.system”, including a RSA public key used to encrypt outgoing command and control data: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg4r6SSnj2PnYbe6C4H8c M7162eRS+RTE8BYW8cTGdFPSiDiVOblImyddBLu/fW7MSc+BUsmg2l9SVyvJrHJk 0xnr7PRH9Dq7IcTYzQPMSsG1nC2Lej09EtilKwAQP08MIpiredzgXwom3rlH0Trc HiKxjLhQcuK0Mllsq+54gYPaoi6LkZG/lUxhWuGI1M2i3/dHp40vbwaaL5Sotxuv jSytDsU75U5T+rCAHVMykiLi/x7PKg40JQoYGMSOPUJsx87i/uy3uHoecl2ns038 b70Gh6KJ4x5mwaKjMRsSm8PUN6ccHSyqetpXuTXoKU5dEDIQLNAwXTZY40d/aTEx uQIDAQAB -----END PUBLIC KEY----- TangentCobra is capable of the following operations: • Execute a cmd.exe command • Read file • Write file • Delete file • GetTempPathA • Sleep • Create directory • Check if directory • Shutdown (implant) • Uninstall
Furthermore, the installation of supplementary malicious software introduces additional harm to the compromised system. This includes the potential for instability, crashes, or data corruption, impacting normal device operations. These vulnerabilities highlight the critical need for robust security measures to safeguard against such unauthorized intrusions and potential data breaches.
Prevention
Implementing effective measures to prevent the Trojan:Win32/TangentCobra.A!dha threat involves a series of strategic actions:
Activate cloud-delivered protection in Microsoft Defender Antivirus. This step is crucial for staying ahead of rapidly evolving attacker tools and techniques, as cloud-based machine learning protections adeptly block a majority of new and unknown variants.
Run endpoint detection and response (EDR) in block mode, ensuring that Microsoft Defender for Endpoint can proactively block malicious artifacts. This is especially vital when a non-Microsoft antivirus fails to detect the threat or when Microsoft Defender Antivirus is operating in passive mode. EDR in block mode operates covertly to remediate malicious artifacts identified post-breach.
Keep Microsoft Exchange Servers up to date with the latest security updates to fortify their resilience against potential Snake intrusions.
Employ an enterprise attack surface management solution, such as Microsoft Defender External Attack Surface Management, to identify unpatched systems within your perimeter, reducing vulnerability to Snake attacks.
Prevent the launch of potentially obfuscated scripts, a proactive measure to thwart Snake's covert activities.
Activate network protection, an additional layer of defense to safeguard against Snake's attempts to infiltrate your systems.
Follow Microsoft's recommendation to monitor the Exchange Admin Audit log for suspicious or unexpected usage of specific cmdlets, including Add-MailboxFolderPermission, Set-MailboxFolderPermission, and New-ManagementRoleAssignment where -Role is ApplicationImpersonation.
Use the Non-owner mailbox access report in the Exchange Admin Center, which provides a list of mailboxes accessed by individuals other than the mailbox owner. This report, automatically generated, is accessible only when mailbox logging is enabled.
Enable Safe Links and Safe Attachments within Microsoft Defender for Office 365, further fortifying your defense against potential Snake-related threats.
When a device is affected by the Trojan:Win32/TangentCobra.A!dha, various symptoms may emerge. Here are the key indicators:
An increase in resources can lead to a noticeable decline in system responsiveness.
Sudden System Failures or Lockups. TangentCobra can induce instability in the device, resulting in unexpected crashes.
TangentCobra disguises itself as legitimate software, requiring scrutiny for unfamiliar processes within the task manager.
Suspicious network activity.
TangentCobra manipulates or deletes crucial system files or personal data, potentially causing data loss or system dysfunction.
Unauthorized additions to browser extensions without informing the user.
TangentCobra deactivates antivirus or firewall safeguards to avoid detection, emphasizing the importance of regularly verifying and maintaining security settings.