Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:35 PM
Connect Directly

Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime, APT Groups

Incident response cases and research show how the red-team tool has become a become a go-to for attackers.

RSA CONFERENCE 2021 - For nearly two decades, the open source Metasploit hacking platform has garnered a mix of enthusiasm and frustration by security teams that both need the tools to test their own networks but also fear cybercriminals or other bad actors could use it against them in attacks.

Metasploit remains popular today among good and bad hackers, but another red-team tool, Cobalt Strike, is increasingly playing a major role in attacks. Attackers are weaponizing the tool for the second stage of attacks to carry payloads (including Metasploit exploits) once they have penetrated the victim's network using customized, cloned, or even purchased versions of Cobalt Strike.

The threat-emulation software suite for penetration testing was created by researcher Raphael Mudge in 2012 and was acquired last year by HelpSystems. Its most popular component by nefarious hackers is Beacon, a payload that operates like an attacker, running PowerShell scripts, logging keystrokes, snapping screenshots, stealing files, and dropping other payloads or malware.

HelpSystems declined to comment for this article.

Related Content:

How to Identify Cobalt Strike on Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

New data from Sophos that cataloged attacker behavior, tools, techniques, and procedures (TTPs) witnessed by its threat hunters and incident responders last year and through the first part of 2021 shows that Cobalt Strike is one of the top five tools used by attackers. It's also a key element when attackers employ PowerShell commands to camouflage their activity on a victim's network. Nearly 60% of PowerShell exploits employ Cobalt Strike, and some 12% of attacks use a combination of Cobalt Strike and Microsoft Windows tools PowerShell and PsExec. It's also paired with PsExec in nearly a third of attacks, according to Sophos's new "Active Adversary Playbook 2021" report.

"Cobalt Strike lends itself to being deployed by PowerShell" and PsExec, says John Shier, senior security advisor at Sophos. "The code [Cobalt Strike] was leaked online a long time ago, [attackers] know how to use it, and it's an evasion technology" to remain under the radar as an attack escalates and spreads.

In one of its more high-profile uses by attackers, the Russian GRU hacking team behind the SolarWinds supply-chain attack campaign built custom shellcode loaders that dropped Cobalt Strike payloads: the Teardrop and Raindrop malware components of the attack.

Researchers and incident responders at Intel 471 say the malicious use of Cobalt Strike correlates with ransomware's rise in recent years, but it's also used for dropping other types of malware and for stealing data. Among the malware groups using Cobalt Strike: Trickbot, Hancitor, Qbot, SystemBC, Smokeloader, and Bazar. The researchers today published indicators of compromise that indicate Cobalt Strike is in play with these malware families.

Brandon Hoffman, CISO at Intel 471, says attackers appear to like the features of Cobalt Strike, specifically the Beacon component. "It has so many features built into it from a post-exploit tool perspective; it's a perfect fit for second-stage attack and instead of picking and choosing different pieces of malware, you just trop this tool and all of its features in it," he says.

The tool also contains a "malleable" command and control (C2) function, which allows an attacker to fashion its C2 network to appear like a different threat actor group. "Malleable C2 lets you mimic behavior or make C2 traffic look like almost any legitimate service," he says. So if an organization allows users to stream Pandora, for example, a Malleable C2 could be disguised as Pandora traffic in the victim's network, he says.

"That makes it extremely difficult" to spot an attack, Hoffman says. "Beacon is so customizable."

Even so, there are ways to spot malicious abuse of Cobalt Strike, experts say. Aside from bad guys making mistakes and leaving behind clues or breadcrumbs, you can spot a Cobalt Strike-borne attack unfold if you're monitoring activity: "Because Cobalt Strike is not generally used at the first attack vector, in the middle of an incident response [case] if you see something come in from one of the command-and-control servers it could potentially be Beacon," Hoffman explains. And if you create Yara rules for certain malicious scripts, that can detect it as well.

"Where we saw Cobalt Strike in the wild, some folks had repurposed it for the same malware family," says Hoffman, whose team today published its findings on cybercrime groups deploying Cobalt Strike (including indicators of compromise).

Ransomware Thread

"We've seen a correlation between the rise of Cobalt Strike use [by adversaries] and a rise in ransomware. We're not saying Cobalt Strike is fueling" ransomware, Hoffman says. It's more that ransomware is dropped at the later stages of an attack chain. "Before they get to the ransomware, attackers first have to deploy something like this [Cobalt Strike]." So, spotting that activity before ransomware is installed can save a lot of headache.

Speaking of ransomware, Sophos' IR and threat-hunting data found ransomware in more than 80% of the incidents they investigated. "Ransomware is noisy, it needs to grab attention," which is why those cases were flagged for an investigation, Sophos' Shier says. "[In] a lot of the attacks we stopped, we noticed there had been Cobalt Strike activity" as well, he says.

Researchers at Red Canary also have spotted attackers wielding Cobalt Strike in targeted attacks, including payment card theft and ransomware campaigns. They described incidents where attackers using Bazar malware used Cobalt Strike payloads in advance of their dropping Ryuk ransomware on the victim, all within a two-hour window.

"Cobalt Strike is so common and reliable that adversaries create their own custom tooling to simply deploy the payloads, knowing that they will likely succeed if they can just get the payload past security controls. This capability demonstrates how Cobalt Strike fits into the threat model for nearly any organization," according to Red Canary's report, which includes details on ways to detect malicious Cobalt Strike activity. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-06
A vulnerability, which was classified as critical, has been found in Gimmie Plugin 1.2.2. This issue affects some unknown processing of the file trigger_referral.php. The manipulation of the argument referrername leads to sql injection. Upgrading to version 1.3.0 is able to address this issue. The n...
PUBLISHED: 2023-02-06
A vulnerability, which was classified as critical, was found in Gimmie Plugin 1.2.2. Affected is an unknown function of the file trigger_ratethread.php. The manipulation of the argument t/postusername leads to sql injection. Upgrading to version 1.3.0 is able to address this issue. The name of the p...
PUBLISHED: 2023-02-05
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Th...
PUBLISHED: 2023-02-04
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition ...
PUBLISHED: 2023-02-04
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling Ap...