IT security teams are getting a new weapon to detect one of the most popular tools used by threat actors to distribute malware: cracked versions of the Cobalt Strike attack framework.
Google has released a set of open-source YARA Rules and their integration as a VirusTotal Collection to help infosec pros flag and identify Cobalt Strike’s components and its respective versions. “Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use, we can help protect organizations, their employees, and their customers around the globe,” Greg Sinclair, a security engineer at Google’s Cloud Threat Intelligence division, said in a blog.
Created as a commercial product in 2012 and now sold by Fortra, Cobalt Strike was designed as a toolkit for red teamers to test the resilience of their organization’s cyber defenses.
Wrapped into a JAR file, it includes a Team Server component, which sets up a centralized server that operates as both a Command and Control (C2) endpoint and a coordinating hub for multiple actors to control infected devices. There are several delivery templates for Javascript, VBA macros, and Powershell scripts that can deploy small shell code (diskless) implants known as stagers. These stagers call back to the Team Server via one of the supported communication channels, including HTTP/HTTPS, SMB, and DNS, to download the final stage implant known as the Beacon. The Beacon is the core binary that gives the actor control over the infected computer.
Small wonder threat actors looked at this and said, “Wow.” And began making copies of it to help in their initial attacks and malware distribution. Google has found 34 different and illegal versions of Cobalt Strike, including copies of the current version, 4.7.
A typical Cobalt Strike infrastructure setup. Google image
Detecting Cobalt Strike or its clones isn’t easy. For each release version of Cobalt Strike, a new, unique beacon component is usually created. Google had to generate 165 signatures for Cobalt Strike components across all non-current versions. That’s because, typically, leaked and cracked versions of Cobalt Strike are one release version behind the current, commercial version.
The YARA rules created by Google, which can be downloaded from VirusTotal, can be used for malware detection applications from vendors including AlienVault, Cisco Systems, ESET, Forcepoint, Kaspersky, McAfee/Trellix, SonicWall, Trend Micro and many others.
“Our intention,” says Google’s Sinclair, “is to move the tool back to the domain of legitimate red teams and make it harder for bad guys to abuse.”
This isn’t the first effort for detecting bad versions of Cobalt Strike. For example, in 2020 Cisco Systems released SNORT and ClamAV detection signatures, as well as a research paper on detecting Cobalt Strike.
Want to know how your security team can detect abuse of Cobalt Strike? Mandiant wrote this detailed blog to help defenders understand artifacts to look for. Microsoft offers advice as well, and Secureworks notes that by default, Cobalt Strike always leverages the Rundll32 utility for command execution.
There are other commercial penetration testing tools that have been cloned. One is Brute Ratel C4. Another, pointed out by Proofpoint, is Sliver, an open-source, cross-platform adversary simulation and red team platform.