Google Making Cobalt Strike Pentesting Tool Harder to Abuse

Google has announced the release of YARA rules and a VirusTotal Collection to help detect Cobalt Strike and disrupt its malicious use.

Released in 2012, Cobalt Strike is a legitimate red teaming tool that consists of a collection of utilities in a JAR file that can emulate real cyberthreats. It uses a server/client approach to provide the attacker with control over infected systems, from a single interface.

Cobalt Strike has evolved into a point-and-click system for deploying remote access tools on targeted systems, with threat actors abusing its capabilities for lateral movement into victim environments.

The tool’s vendor has in place a vetting system to prevent selling the software to malicious entities, but cracked versions of Cobalt Strike have been available for years.

“These unauthorized versions of Cobalt Strike are just as powerful as their retail cousins except that they don’t have active licenses, so they can’t be upgraded easily,” Google notes.

By releasing open-source YARA rules and a VirusTotal Collection that integrates them, Google aims to help organizations flag and identify Cobalt Strike’s components, to improve protections.

The targeted components include templates for JavaScript, VBA macros, and PowerShell scripts that can be used to deploy shellcode implants in memory, to serve as stagers that deploy the final payload, a Beacon offering control over the infected system and support for deploying additional payloads.

“The stagers, templates, and beacon are contained within the Cobalt Strike JAR file. They are not created on the fly, nor are they heavily obfuscated before deployment from the […] server. Cobalt Strike offers basic protection using a reversible XOR encoding,” Google explains.

The internet giant says it has located Cobalt Strike JAR files starting with version 1.44 (released around 2012), up to version 4.7, and used its components to build YARA-based detection.

“Each Cobalt Strike version contains approximately 10 to 100 attack template binaries. We found 34 different Cobalt Strike release versions with a total of 275 unique JAR files across these versions. All told, we estimated a minimum of 340 binaries that must be analyzed and have signatures written to detect them,” Google notes.

While the stagers and templates appear to remain constant across versions, a new, unique beacon component is typically created with each new Cobalt Strike release. Overall, Google has generated 165 signatures to detect these Cobalt Strike components across the identified versions.

“We decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use by non-malicious actors since some versions have been abused by threat actors,” Google notes.

The newly released detection tools target only non-current versions of Cobalt Strike components, so that the most recent ones, which are used by paying customers, remain untouched. Google warns that the cracked versions are typically at least one iteration behind.

“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal. We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry,” Google says.

Related: Cobalt Strike Beacon Reimplementation ‘Vermilion Strike’ Targets Windows, Linux

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Related: PoS Clients Targeted with Cobalt Strike, Card Scraping Malware