Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Google Making Cobalt Strike Pentesting Tool Harder to Abuse

Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.

Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.

The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.

“These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.

By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.

The targeted components include templates for JavaScript, VBA macros, and PowerShell scripts that can be used to deploy shellcode implants in memory, to serve as stagers that deploy the final payload, a Beacon offering control over the infected system and support for deploying additional payloads.

“The stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated before deployment from the […] server. Cobalt Strike offers basic protection using a reversible XOR encoding,” Google explains.

The internet giant says it has located Cobalt Strike JAR files starting with version 1.44 (released around 2012), up to version 4.7, and used its components to build YARA-based detection.

“Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them,” Google notes.

While the stagers and templates appear to remain constant across versions, a new, unique beacon component is typically created with each new Cobalt Strike release. Overall, Google has generated 165 signatures to detect these Cobalt Strike components across the identified versions.

“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors,” Google notes.

The newly released detection tools target only non-current versions of Cobalt Strike components, so that the most recent ones, which are used by paying customers, remain untouched. Google warns that the cracked versions are typically at least one iteration behind.

“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry,” Google says.

Related: Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...