BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Cobalt Strike

36
Global rank
26 infographic chevron month
Month rank
24 infographic chevron week
Week rank
490
IOCs

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
16 April, 2024
Last seen

How to analyze Cobalt Strike with ANY.RUN

Penetration software
Type
Unknown
Origin
20 February, 2012
First seen
16 April, 2024
Last seen

IOCs

IP addresses
195.123.241.147
104.194.10.206
169.239.128.55
169.239.128.54
192.169.6.82
107.178.111.39
61.184.215.178
119.84.129.25
36.249.65.20
47.52.23.165
Hashes
19c0307d2da8178e322430c496e5dcb2accb869b7b7f2fcb7937830451ca235d
992f98e70bc5bdfbb7c2c2f3250caf97f831619ac56f0aca3f67dccdb923f94e
7c4ec96ba82e79cb37c6829a595dc09b76568a5dadd82c743c3f9a69c985ad83
5bb76f2f2aeb231f65a46f9e37bec1ae9e9ac558677c5b4ce618c9184ae701b7
c705255e9daff6ff3164b25aafdfa52b5771e52ebb15ded7370cf90b207baf01
4c6a3a870a2962c0973a79718020e964d37a76f4ae7994a3b0d09d51aedfe473
cadf062d3ac00bcd2b5dcae8ff404020d6b90b340ca73c0a9578e175574332b1
2430589a400dfbcb17a3640a891fdc769ea4af3d68330861208a0ebd8305c99d
fb82fb11ac254795bc59b604ec988c35f919a9e889aaa9ebbb46684c229d3dcb
ca923ad87793290e78ec09ec1e6105cb6e1cc2580187a1779fe9f0e8ab276bec
80edfa7e7bd154f39f57a9ff32dc4934d9aa031ab0a889cff6b467d51de5f179
30135d616ca2776ba9d810dd58ad2611dba971b10aa974b74b934c6067114302
1c885a8093d7586c630534d2a5e1ce885a905b87d74d2e2176ebf71c11211b55
fcaa600c55fedbcb86f90ccd13f10683a5010e5ad4bb58c97d5e631bef0ac0d0
b9321c27be4295c15d7f92fafc20d7ccac5f21204b79ebc2fed583dda0197cf9
f5fdfbc22067edccdaffb6806ed14159f8d5b5c7e448e0b81f25c09c3f962069
57a395267a680f4909efd096007d6ec86254502ae1c33a70733f0ccef85c4791
dfbd425f6a69140c6d567c1634fe1d12bbdc674f24eddbbba215c2b1ad7b56fb
d0357625c0092bc600bdeba2e1562ff6b6618326d7e787e4e738bbc8d9df8af4
b20bf873b3decaecccadefd88ebb391d682b37e0c7d7d6bb942c630a4ad30739
Domains
bestvega.com
signup.africavolunteeringforum.org
www1.thegreatethiopian.com
managemen.onlinestephanie.xyz
authoritative.rogerwlaker.xyz
cloudflare.robertstratton.xyz
status.jarredlike.xyz
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Cobalt Strike malware

Cobalt Strike is a licensed penetration software package developed by Forta (previously Help Systems), that helps red teams simulate an adversary in red-vs-blue games.

While the software itself is completely legal and designed for cybersecurity testing, over the years, many versions of it have been cracked and leaked into the wild. Despite several attempts to stop its abuse — by the developer and the online community — attackers continue to employ it to install multiple payloads after compromising their victims' networks.

Most of these cracked versions were obtained by accessing a trial — which is only given to verified parties, but evidently, hackers found a way to skirt this — and bypass the license check and then trial restrictions. (The trial version of Cobalt Strike has many deliberate giveaways such as the EICAR string embedded in all payloads and a watermark.)

Being a legitimate tool, there is a ton of educational material online, which illustrates what Cobalt Strike can do. Like this official playlist on YouTube. This, of course, lowers the entry threshold and contributes to the popularity of the software among bad actors. One can literally learn how to abuse it directly from its creators.

Cracked Cobalt Strike versions are circulating freely in various underground forums and are sometimes found on clearnet resources, like GitHub. Although most of them are somewhat outdated, they still pose a serious threat — many criminal groups use them to gain initial access and move laterally through victim’s networks.

Cobalt Strike malware analysis review

Cobalt Strike consists of multiple components, which together form a comprehensive hacking suit. The central element of the software is the Team Server component — which acts as both the C2 server and a coordinating program that helps multiple adversaries work together and control hijacked devices. To access it, actors use a Client component which serves as the GUI for the Team Server.

Team Server can generate shellcode implants called Stagers. These fileless implants are available as VBA, Javascript and Powershell macro templates. When an attacker infiltrates and injects one of the Stagers into the victim's network, they can contact the Team Server via HTTP/HTTPS, SMB, or DNS to fetch and install the main payload known as the Beacon.

The Beacon is the core binary which allows the attacker to control infected machines remotely. It supports a wide list of malicious operations, and is designed to be configurable and expandable. This feature is often used to deliver and run custom modules, and makes Cobalt Strike's malicious capabilities virtually limitless. What’s more, there are built-in modules that allow attackers to customize the payload to avoid detection: these include the Artifact Kit, Malleable C2 Profiles, and Resource Kit.

Also, it’s important to note that since Cobalt Strike was originally designed for team exercises, the Team Server and Client modules allow criminal gangs to coordinate hacks with multiple attackers acting simultaneously, potentially targeting multiple weak spots.

The payloads usually delivered by Cobalt Strike range from Ransomware to spyware and even Advanced Persistent Threats.

How to get more information from Cobalt Strike malware

ANY.RUN helps analysts track the execution process of Cobalt Strike in an interactive online sandbox.

ANY.RUN users can access the analysis results 10 seconds after launching the sandbox, which saves crucial time, especially during incident response when every second matters.

Cobalt Strike malware configuration

Figure 1: Cobalt Strike malware configuration

Cobalt Strike execution process

The execution of CobaltStike varies greatly from sample to sample. Not only are there lots of iterations of the client, but the program itself is frequently updated by the developers. Besides the common type that uses an executable file, there are also versions that use powershell or JS to dominate the infected system.

In ANY.RUN, users can study the config of CobaltStrike’s utility to better understand how it works.

Distribution of Cobalt Strike

Unfortunately, the distribution of Cobalt Strike is poorly documented, but it’s believed to be delivered using macros that come with an infected executable embedded in a phishing email. There are few reports of this particular malware, so the conclusion was drawn based on the little information available, and the fact that it is by far the most common attack vector.

Conclusion

Cobalt Strike has gained an excellent reputation among cybercriminals who continue to use it as their Command and Control system of choice to deliver and execute a wide variety of payloads. This is a perfect example of what a legitimate piece of kit can do in the wrong hands. That said, its abuse is a fairly well-researched topic in the community, and there are guides like this one and this one that can help you defend against attacks using this software.

We hope that as the good research continues, and organizations arm themselves against cracked copies of Cobalt Strike, the abuse of this powerful cybersecurity tool will eventually stop.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy