Cobalt Strike is a paid penetration testing product that has legitimate uses, although hackers often use it for malicious purposes. Recently, Google Cloud team identified 34 different hacked releases of Cobalt Strike in the wild.

Latest findings

Researchers have found the versions of Cobalt Strike JAR files starting with version 1.44 (circa 2012) up to the latest version, 4.7.2.
  • Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. 
  • In total, 34 different release versions have been found with a total of 275 unique JAR files.
  • It implies that to detect these variants, a minimum of 340 binaries must be analyzed and have signatures written for their detection. 

Counter-attack attempts

Experts have cataloged the stagers, templates, and beacons, including the XOR encodings used by all versions of this pentesting tool, from 1.44 up to version 4.7.
  • They have developed a total of 165 signatures to detect these malicious Cobalt Strike components.
  • By analyzing these versions, experts have released a set of YARA Rules to help detect and deter attacks that use malicious Cobalt Strike.

Recent attacks with Cobalt Strike

Cobalt Strike was previously a paid subscription tool, however, its source code was allegedly leaked in 2020, which gave hackers free access to its code, allowing unrestricted use in malicious campaigns. Recently, it has been abused in several attacks.
  • A few days ago, a phishing campaign was distributing the QBot malware, downloading additional post-exploitation toolkits including Cobalt Strike.
  • At the beginning of this month, a new APT group dubbed Earth Longzhi was seen targeting organizations in East Asia, Southeast Asia, and Ukraine using a Cobalt Strike loader.

Conclusion

For years, cybercriminals have actively latched onto the typical Cobalt Strike capabilities and used it as a robust tool for lateral movement and persistence in several attacks. Experts have built YARA-based detection across these malicious variants in the wild with a high degree of accuracy. The efforts to detect the cracked or leaked Cobalt Strike versions are a progressive step towards a safer digital world.
Cyware Publisher

Publisher

Cyware