Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.
Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.
Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.
The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.
“These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.
By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.
The targeted components include templates for JavaScript, VBA macros, and PowerShell scripts that can be used to deploy shellcode implants in memory, to serve as stagers that deploy the final payload, a Beacon offering control over the infected system and support for deploying additional payloads.
“The stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated before deployment from the […] server. Cobalt Strike offers basic protection using a reversible XOR encoding,” Google explains.
The internet giant says it has located Cobalt Strike JAR files starting with version 1.44 (released around 2012), up to version 4.7, and used its components to build YARA-based detection.
“Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them,” Google notes.
While the stagers and templates appear to remain constant across versions, a new, unique beacon component is typically created with each new Cobalt Strike release. Overall, Google has generated 165 signatures to detect these Cobalt Strike components across the identified versions.
“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors,” Google notes.
The newly released detection tools target only non-current versions of Cobalt Strike components, so that the most recent ones, which are used by paying customers, remain untouched. Google warns that the cracked versions are typically at least one iteration behind.
“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry,” Google says.
Related: Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux
Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution
Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware

More from Ionut Arghire
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
