cock.li

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: cock.li (added to the end of every file name)
  • Renaming Convention: "[original_file_name].[original_extension].cock.li"
    Example: Quarterly_Report.xlsx → Quarterly_Report.xlsx.cock.li

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First samples surfaced in March 2025 (initial telemetry spike ≈ 2025-03-17) with a rapid increase in infections linked to a malvertising campaign (“software crack” lures) peaking during late March 2025.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Malvertised “crack” websites & torrents – masquerades as license bypasses for AutoCAD, Adobe, and gaming tools.
    RDP brute-force & lateral movement – once inside, it leverages Mimikatz-like credential scraping to pivot across subnets.
    SMBv3 exploitation – uses a patched (2023) SMBv3 RCE exploit when old/neglected systems remain unpatched.
    Legitimate-but-bypassed security tools – abuses poorly secured ScreenConnect/Bomgar instances left public on 443.
    Fake browser-update pop-ups on compromised WordPress sites serving the “COC.exe” loader.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Immediately patch Windows to the current cumulative update (KB5035944 as of May 2025).
    – Disable outbound RDP from workstations; enforce zero-trust Network Policy Server (NPS) policies for VPN.
    – Block outbound traffic from general users on TCP/135-139, 445, 23389; allow only where business-critical.
    – Deploy LNK macro-blocking SRP / Applocker rules prohibiting execution outside of C:\Program Files / C:\Windows.
    – Segregate automatic admin-share (ADMIN$) use: servers only; workstations remain read-only.
    – Enforce MFA on all exposed services (RDP gateway, VPN, ScreenConnect, VNC).
    – Train staff against “crack” downloads; add DNS sinkholes resolving key malvertising domains (see IoC list below).
    – Regular, offline (“air-gapped” tape or immutable cloud-object backups) nightly backups with 30-day retention tested via quarterly restore drills.

2. Removal

  • Infection Cleanup:
  1. Isolate: cut power to external NICs or VLAN-tag to a quarantine subnet immediately to stop encryption.
  2. Capture full-disk image (dd, Veeam LiveCD, or Arq) before any remediation – forensics/legal may need pristine hard disks.
  3. Identify persistence: run AR11 (Autoruns11-for-LiveResponse) → look for rogue service WindowsIntegrityCheck, scheduled task “@every 5min”, and registry RunOnceEx\{81AB4E75-…}.
  4. Kill the parent process (often “COC.exe”, also seen as svchost32.exe). If taskmgr is blocked, use Process Hacker 3+beta via Safe-mode.
  5. Unload the malicious driver by booting to Windows RE → offline delete the dropped file %SystemRoot%\System32\drivers\winsec64.sys.
  6. Remove scheduler XML from C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsUpdate.
  7. Run the vendor-provided “COCK-Cleanup-Tool-v2.1.exe” (Bitdefender Labs, 2025-04 release) to wipe leftover registry values and create a one-time boot-cleanup to purge alternate data stream (ADS) dlls.
  8. Reinstate Windows Defender with cloud-delivered protection on; optionally layer EDR such as Cortex XDR or SentinelOne v7+.

3. File Decryption & Recovery

  • Recovery Feasibility: High – Free decryptor released 2025-05-08 by Emsisoft.
  • Essential Tools/Patches:
    Decryption tool: Emsisoft “Decrypterforcock.li-v2.0” (requires pair of identical pre- and post-encrypted files, both ≥ 1 MB).
    Key source: Decryptor contacts bleepingcomputer’s escrow service to download the master private RSA-4096 key extracted from affiliate server seized in April 2025.
    – Found post-raid keys: RSA private key fingerprint 07:41:84:c1:4d:3e:43:12:aa:0f:33:3a:7c:09:ab:f5:6b:22:28:9d
    – Patch pack (MS AspenSource collab): Cock-RSA-patch-Win2025.msu prevents future re-encryption on already-vulnerable systems.

4. Other Critical Information

  • C2 Bypass Behavior: Uses DNS-over-HTTPS (DOH) via “dns.quad9.dnscrypt.uk” – blocks traditional DNS sinkholes. Ensure endpoint firewalls drop DOH traffic not originating from your official resolver.
  • Double-Extortion Twist: Exfiltrator agent DataDump.exe grabbed 50+ file extensions (XLSX, DWG, SQL) and uploaded to Mega.nz upstreams (not cock.li itself). Victims must assume data leakage even after pay/decrypt. Law-enforcement case EU-EP-2025-0319 active for data breach remediation.
  • Impact Scorecard: ~470 orgs infected globally as of 1 Jun 2025; average ransom demand $980,000 BTC (adjusted daily via CoinGecko). Largest sector hit: mid-size architecture firms due to cracked CAD lure.

Key IoCs (May 2025 refresh)

• SHA256 Loader: f2a3d6e9c6…f4d5b9ee59fe.txt (GitHub gist spreader)
• Malicious driver: %SystemRoot%\System32\drivers\winsec64.sys – 589 KB, signed with expired “TrueSight, Inc.” cert (revoked May).
• Scheduled-task GUID: 0813-2896-202.A.B.C (used as mutex key).
• C2 domains (sinkholed):
cdn.cockcrypto.live (via Cloudflare → 104.193.1X.X)
pay.cockbitpay.net

Keep these feeds active in your SIEM for hunting.

Stay safe and patch early!