Credit: Dreamstime
Google recently released a list of YARA detection rules for malicious variants of the legitimate Cobalt Strike penetration testing framework that are being used by hackers in the wild.
Cobalt Strike is a commercial attack framework designed for red teams that has also been adopted by many threat actors, from APT groups to ransomware gangs and other cyber criminals.
Living off the land is a common tactic
The abuse by attackers of system administration, forensic, or security tools that are either already installed on systems or can be easily deployed without raising suspicion has become extremely common.
The use of this tactic, known as living off the land (LOTL), used to be a telltale sign of sophisticated cyber espionage groups who moved laterally through environments using manual hacking and placed great value on stealth.
These groups rightly understood that abusing the same tools that IT or security teams commonly use in their work environments will challenge the malware detection and prevention controls that organisations had in place. Security vendors are also reluctant to flag some of these tools as malicious, due to the high risk of false positives.
Seeing the success of this tactic, many cyber criminal gangs also started to shift their approach from using highly automated malware with self-propagation capabilities that tried to infect as many systems as possible to find a weak entry point for the deployment of a lightweight implant for remote access and then moving laterally manually by using open source network scanners, credential dumpers, legitimate privilege escalation tools, and so on.
One attack category where this has been evident is ransomware, which used to spread through networks using automated exploits and drop the same ransom note to everyone. Nowadays, most ransomware programs are manually deployed, often as the last step in an attack, after hackers have already been in the network for days or weeks and worked their way up to domain admin access.
What is Cobalt Strike?
Cobalt Strike is a highly customisable attack framework intended to be used by penetration testers and security red teams to simulate a real cyber threat.
It is distributed as single Java archive file (JAR), which contains several components: a command-and-control server known as the Team Server, a client that runs on the attacker’s machine and includes the graphical user interface to interact with the server, and a remote access implant known as the Beacon deployed on the victim machine.
The server also includes an assortment of delivery templates in JavaScript, VBA macros and PowerShell that the attacker can use to execute shellcode on the target machine, which would then connect back to the team server over one of several supported protocols (HTTPS, SMB, and DNS) to download the Beacon.
It’s worth noting that Cobalt Strike is not the only such penetration testing framework available or the only one that’s being abused by cyber criminals. The open-source Metasploit Framework and its implant, called Meterpreter, were used in malicious attacks long before Cobalt Strike.
In fact, Cobalt Strike itself has its roots in the Metasploit Framework, starting out as a spin-off of Armitage, a Java-based GUI front-end for the Metasploit Framework. PowerShell Empire, another post-exploitation and adversary simulation framework also used to be popular with attackers, but the project is no longer maintained.
Cobalt Strike abusers use older variants
Unlike other tools, however, Cobalt Strike is not free. In fact, it’s quite expensive, with a per-user annual license of US$5,900. To avoid paying this price, most attackers who rely on Cobalt Strike use older versions that have been cracked and leaked online.
This creates a detection opportunity because legitimate paying customers are likely to be using the last version of the framework which includes all the latest bug fixes. This is exactly what the Google researchers had in mind when they began their effort of mapping all versions of Cobalt Strike, complete with their unique files and templates, released since 2012.
“The leaked and cracked versions of Cobalt Strike are not the latest versions from Fortra [the company that owns and sells Cobalt Strike], but are typically at least one release version behind,” researchers with Google’s Cloud Threat Intelligence (GCTI) said in a blog post.
“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cyber security vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry.”
The Google team also released YARA rules on GitHub. YARA is an open-source cross-platform tool for identifying and cataloging malware that’s used and supported by most security vendors. Security teams can also use YARA internally to hunt for threats in their networks.
Google’s rules include 165 signatures covering 34 different Cobalt Strike versions, each with 10 to 100 attack templates and typically unique Beacon components.
Who uses Cobalt Strike?
While Cobalt Strike has long been used by APT groups. One of the first cyber criminal gangs to use it extensively was Carbanak.
Carbanak was an umbrella group with different divisions that targeted financial institutions and retailers, stealing hundreds of millions of dollars after lurking inside networks and learning the financial processes and workflows of their victims before initiating money transfers. Because of its extensive use of Cobalt Strike across its attacks, Carbanak was also known as CobaltGoblin or the Cobalt Group.
Another infamous group that relied heavily on Cobalt Strike was Wizard Spider, whose creations include the notorious Trickbot botnet, as well as the Ryuk and Conti ransomware programs. In a recent report, security vendor Palo Alto Networks documented that Ransom Cartel, a possible spin-off from the REvil ransomware gang, is also using Cobalt Strike.
In another recent report documenting APT activity from the second trimester of 2022, security firm ESET noted that The Dukes (APT29) continues to use Cobalt Strike as a final payload in spear phishing campaigns using .ISO images that target government organisations.
This activity seems to match details from a joint alert issued by CISA and the FBI in May. APT29 is associated with Russia's Foreign Intelligence Service (SVR). Chinese state-sponsored cyber espionage groups also use Cobalt Strike. These include APT19, APT32 and APT41.
“GCTI's efforts to signature the variations of leaked/cracked versions of Cobalt Strike is a great start for the DFIR community,” Matt Mullins, senior security researcher at Cybrary, tells CSO.
“The rules provided specifically call out each version, the critical strings/naming conventions for the defaults of that version, as well as some of the critical aspects of assembly associated with those actions.
"This provides a very high-fidelity detection of those versions associated, which are being widely spread and used by threat actors. This information takes a lot of the heavy lift away from internal teams that might not have the technical skillset or resources to triangulate onto the discernable bits effectively.”
