Cobalt Strike

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Type
Penetration software
Origin
Unknown
First seen
20 February, 2012
Last seen
3 February, 2023
Global rank
36
Week rank
21
Month rank
19
IOCs
20283

What is Cobalt Strike malware

Cobalt Strike is a licensed penetration software package developed by Forta (previously Help Systems), that helps red teams simulate an adversary in red-vs-blue games.

While the software itself is completely legal and designed for cybersecurity testing, over the years, many versions of it have been cracked and leaked into the wild. Despite several attempts to stop its abuse — by the developer and the online community — attackers continue to employ it to install multiple payloads after compromising their victims' networks.

Most of these cracked versions were obtained by accessing a trial — which is only given to verified parties, but evidently, hackers found a way to skirt this — and bypass the license check and then trial restrictions. (The trial version of Cobalt Strike has many deliberate giveaways such as the EICAR string embedded in all payloads and a watermark.)

Being a legitimate tool, there is a ton of educational material online, which illustrates what Cobalt Strike can do. Like this official playlist on YouTube. This, of course, lowers the entry threshold and contributes to the popularity of the software among bad actors. One can literally learn how to abuse it directly from its creators.

Cracked Cobalt Strike versions are circulating freely in various underground forums and are sometimes found on clearnet resources, like GitHub. Although most of them are somewhat outdated, they still pose a serious threat — many criminal groups use them to gain initial access and move laterally through victim’s networks.

Cobalt Strike malware analysis review

Cobalt Strike consists of multiple components, which together form a comprehensive hacking suit. The central element of the software is the Team Server component — which acts as both the C2 server and a coordinating program that helps multiple adversaries work together and control hijacked devices. To access it, actors use a Client component which serves as the GUI for the Team Server.

Team Server can generate shellcode implants called Stagers. These fileless implants are available as VBA, Javascript and Powershell macro templates. When an attacker infiltrates and injects one of the Stagers into the victim's network, they can contact the Team Server via HTTP/HTTPS, SMB, or DNS to fetch and install the main payload known as the Beacon.

The Beacon is the core binary which allows the attacker to control infected machines remotely. It supports a wide list of malicious operations, and is designed to be configurable and expandable. This feature is often used to deliver and run custom modules, and makes Cobalt Strike's malicious capabilities virtually limitless. What’s more, there are built-in modules that allow attackers to customize the payload to avoid detection: these include the Artifact Kit, Malleable C2 Profiles, and Resource Kit.

Also, it’s important to note that since Cobalt Strike was originally designed for team exercises, the Team Server and Client modules allow criminal gangs to coordinate hacks with multiple attackers acting simultaneously, potentially targeting multiple weak spots.

The payloads usually delivered by Cobalt Strike range from Ransomware to spyware and even Advanced Persistent Threats.

How to get more information from Cobalt Strike malware

ANY.RUN helps analysts track the execution process of Cobalt Strike in an interactive online sandbox.

ANY.RUN users can access the analysis results 10 seconds after launching the sandbox, which saves crucial time, especially during incident response when every second matters.

Cobalt Strike malware configuration

Figure 1: Cobalt Strike malware configuration

Cobalt Strike execution process

The execution of CobaltStike varies greatly from sample to sample. Not only are there lots of iterations of the client, but the program itself is frequently updated by the developers. Besides the common type that uses an executable file, there are also versions that use powershell or JS to dominate the infected system.

In ANY.RUN, users can study the config of CobaltStrike’s utility to better understand how it works.

Distribution of Cobalt Strike

Unfortunately, the distribution of Cobalt Strike is poorly documented, but it’s believed to be delivered using macros that come with an infected executable embedded in a phishing email. There are few reports of this particular malware, so the conclusion was drawn based on the little information available, and the fact that it is by far the most common attack vector.

Conclusion

Cobalt Strike has gained an excellent reputation among cybercriminals who continue to use it as their Command and Control system of choice to deliver and execute a wide variety of payloads. This is a perfect example of what a legitimate piece of kit can do in the wrong hands. That said, its abuse is a fairly well-researched topic in the community, and there are guides like this one and this one that can help you defend against attacks using this software.

We hope that as the good research continues, and organizations arm themselves against cracked copies of Cobalt Strike, the abuse of this powerful cybersecurity tool will eventually stop.

IOCs

IP addresses
92.255.85.141
104.21.33.112
176.123.3.104
110.42.211.86
107.175.91.198
198.13.45.227
58.218.215.138
45.138.209.23
111.231.97.251
31.44.184.100
49.234.67.167
51.83.57.149
120.79.114.32
104.21.63.119
47.112.178.28
172.67.165.102
139.60.161.99
104.194.215.192
172.67.156.168
176.123.3.108
Hashes
e609a7e5fd17ce8b498eb12e367f985bc88d506d56cd3f153c0f4dd8ccc4e1ea
b9321c27be4295c15d7f92fafc20d7ccac5f21204b79ebc2fed583dda0197cf9
6029e9c985c4d25fc11d6de78355d72664f12a107fb902519d71d9ec55b4534b
96d60aebe02d4f81e02ab9b947fbabfae3d9d9eda7763ae965bb9aa50fa692ce
5630076d51f7ba1412cd3873654f47fe86fc45b99885e782aec0b639de8599a2
dc8a22952d80c6be6cd67fd0b7eb66299952670d3ee5590c75c33b84c16167a7
5331d9833ee5852db241c8e451daef20445eb3f799c13e303eb6975497f78fab
668a1e02b5b5dd864dbda1594da7764545118e1db96f3120b5a8f13dd6e3c9d3
89d9f800f58805c09716267b30a0dc26117c8bafebee899b9060e0d2d244ac88
3db8dcef9f57567566c0d4871cb8d91f720a7288f0c8bc2b425312302da87189
cedf2f478d0acc217522682a10f37c28894733f15f80df85333c7894043dcd98
4126e4ac82499ae230a0a2a744475fb889b90e3f56acc74b1763c64b77eb847b
5d897ac5c7c3fb20d6b3f34dbfd01fd10121ff446beb9166bcbbad5cf2818f64
2184a321b74567454e6ce5a2adde299be784b11ba10c0d58848ec73b664ff696
d0eea90a3f5b60d5a00799a9e4a6601ec51135bbcd438fde2eb8ebf456f341ed
ca23e9ec37b142446a636583b2ab8a738b7582cc8e20b4e68b754fe536ae9136
cc7a9ef409786970ea9794510c03380763c222af65ea6180d2f33670b5305ed9
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
d48afc2a370adfa69577722ecaf326671670eb768ca997cdf7207cbe9c907b53
f2093c8228896204c3403526c88ff3ddb4d9c7369a043ebb0b1a69b44ce63cd2
Domains
qxq.ddns.net
wcpstatic.microsoft.com
livecentercdn.norkon.net
lgincdnmsftuswe2.azureedge.net
acctcdn.msftauth.net
lgincdnvzeuno.azureedge.net
devtools.azureedge.net
g.deepintent.com
fp-afd-nocache.azureedge.net
amcdn.msftauth.net
api-01.moengage.com
a.trellocdn.com
ys.kic-software.de
www.clarity.ms
exchange.mediavine.com
www.kofax.com
api.blockcypher.com
www.chuyu.me
ppp-gl.biz
www.accentuable.info

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy