Updated on 2022-12-07: Cobalt Strike adoption
PAN’s Unit42 research team says it spotted three malware operations that have straight out incorporated components of the Cobalt Strike pen-testing framework into their code. The three malware strains are KoboldLoader, MagnetLoader, and LithiumLoader. Read more: Blowing Cobalt Strike Out of the Water With Memory Analysis
Updated on 2022-12-05: New tool—WindowSpy
Security researcher CodeX has published a project named WindowSpy, which is a Cobalt Strike beacon mod that can be used to spy only on certain OS windows, based on the window title, such as browsers navigating to login pages, VPN sessions, confidential documents, and so on.
“The purpose was to increase stealth during user surveillance by preventing detection of repeated use of surveillance capabilities e.g. screenshots. It also saves the red team time in sifting through many pages of user surveillance data, which would be produced if keylogging/screenwatch was running at all times.”
Updated on 2022-11-24: Limiting Cobalt Strike Abuse
Google has released a set of open-source detection rules to find versions of Cobalt Strike that are being misused by malicious actors . Cobalt Strike is a legitimate commercial penetration testing tool that is often abused by malicious actors. Cobalt Strike sales are vetted by its vendor, so bad actors tend to use leaked or cracked versions which are harder to update and are typically at least one release version behind. By developing detection signatures for older versions Google hopes to make Cobalt Strike harder to misuse and “move the tool back to the domain of legitimate red teams”. Read more:
Updated on 2022-11-23: Google Taking Steps to Prevent Cobalt Strike Abuse
Google has announced new YARA rules and a VirusTotal collection that are intended to make Cobalt Strike harder to abuse. Cobalt Strike is a legitimate red-team testing tool, but malicious actors have been using it to move laterally within infiltrated networks.
Note
- This debate goes back to 1995 when Dan Farmer and Wietse Venema released the SATAN scanning tool – one of the very first tools network security folks could use to find vulnerabilities and misconfigurations. Overall, we are better off having strong security tools in use by the good side, even if the bad side will get to use them, too.
- You can use these new YARA rules to detect Cobalt Strike variants in your environment. Not a bad idea to go proactively hunting to see what turns up. Beware of security research legitimately using it for exactly that. While tempting to put those workstations on a blanket allow list, you need to not completely ignore them as they too could become a target for compromise.
Read more in
- Making Cobalt Strike harder for threat actors to abuse
- Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild
- Google Making Cobalt Strike Pentesting Tool Harder to Abuse
- GCTI/YARA/CobaltStrike/
- Stopping Cobalt Strike with YARA
Updated on 2022-11-21
Google Cloud detected 34 cracked Cobalt Strike versions in the wild. Ranging from version 1.44 to 4.7, the earliest version was released in November 2012. Read more: Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild
Updated on 2022-11-19: Cobalt Strike detections
The Google Cloud security team has released a set of open-source YARA Rules and a VirusTotal Collection to help security practitioners flag and identify Cobalt Strike components and specific Cobalt Strike versions on their networks. Read more:
- Making Cobalt Strike harder for threat actors to abuse
- Introducing VirusTotal Collections
- chronicle/GCTI
“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors.”
Updated on 2022-10-12
A Ukrainian military-themed Excel file was found dropping Cobalt Strike beacons, apart from executing multi-stage loaders. Read more: Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loader
Updated on 2022-09-30
Cisco Talos discovered a malicious campaign in August 2022 that delivered Cobalt Strike payloads by using a phishing email with a malicious Microsoft Word attachment as the initial attack vector. They either impersonated a U.S. government organization or a trade union in New Zealand. Read more: New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
Updated on 2022-09-29: Cobalt Strike still playing major role on threat landscape
Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic. Read more: New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
Overview
HelpSystems released this week a security update for the Cobalt Strike red-team framework that fixed a security flaw (CVE-2022-39197) that could have allowed threat actors to hijack CS servers. Read more: Out Of Band Update: Cobalt Strike 4.7.1