Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Google Making Cobalt Strike Pentesting Tool Harder to Abuse

Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.

Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.

The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.

“These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.

By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.

The targeted components include templates for JavaScript, VBA macros, and PowerShell scripts that can be used to deploy shellcode implants in memory, to serve as stagers that deploy the final payload, a Beacon offering control over the infected system and support for deploying additional payloads.

“The stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated before deployment from the […] server. Cobalt Strike offers basic protection using a reversible XOR encoding,” Google explains.

Advertisement. Scroll to continue reading.

The internet giant says it has located Cobalt Strike JAR files starting with version 1.44 (released around 2012), up to version 4.7, and used its components to build YARA-based detection.

“Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them,” Google notes.

While the stagers and templates appear to remain constant across versions, a new, unique beacon component is typically created with each new Cobalt Strike release. Overall, Google has generated 165 signatures to detect these Cobalt Strike components across the identified versions.

“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors,” Google notes.

The newly released detection tools target only non-current versions of Cobalt Strike components, so that the most recent ones, which are used by paying customers, remain untouched. Google warns that the cracked versions are typically at least one iteration behind.

“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry,” Google says.

Related: Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.