Threat Watch

Cobalt Strike Beacons Being Hosted on Myanmar President’s Website

An unidentified hacking group is believed to have implanted a Cobalt Strike backdoor inside a localized font package that is downloadable on the President of Myanmar’s website. The initial incident was discovered by security researchers working for ESET and reported on June 2nd. The font package contained a file called Acrobat.dll containing a loader for the Cobalt Strike Beacon. If the DLL file is executed, it would establish Command and Control (C2) communications to the attacker’s server at 95.217.1[.]81. There is still no attribution as to which group was responsible for the attack, but the general attribution is believed to be a Chinese state-sponsored group due to similarities with past campaigns attributed to the threat group known as Mustang Panda or RedEcho.


This is not the first time Myanmar has dealt with a watering hole attack. The previous incidents occurred in November 2014 and May 2015 where Evilgrab was delivered through the President’s website, but this current attack appears unrelated. Detecting modifications to websites like this can be mitigated in many ways, one of which is file and website integrity monitoring. Taking a SHA-256 hash of the original site or template and performing routine or automated checks against the site can help set off alerts when any changes are made – comparing the detected changes to authorized and expected alterations of the site can lead to discovery of threats. Depending on how often a website is updated, this approach may or not be feasible. Another important consideration for website security is to publish a way to contact the website owner about security issues. Quite often, website problems are first spotted by a security researcher, and unless there is a clear way to communicate the issue to the website owner, the problem might go unreported.