Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:35 PM
Connect Directly

Cobalt Strike Becomes a Preferred Hacking Tool by Cybercrime, APT Groups

Incident response cases and research show how the red-team tool has become a become a go-to for attackers.

RSA CONFERENCE 2021 - For nearly two decades, the open source Metasploit hacking platform has garnered a mix of enthusiasm and frustration by security teams that both need the tools to test their own networks but also fear cybercriminals or other bad actors could use it against them in attacks.

Metasploit remains popular today among good and bad hackers, but another red-team tool, Cobalt Strike, is increasingly playing a major role in attacks. Attackers are weaponizing the tool for the second stage of attacks to carry payloads (including Metasploit exploits) once they have penetrated the victim's network using customized, cloned, or even purchased versions of Cobalt Strike.

The threat-emulation software suite for penetration testing was created by researcher Raphael Mudge in 2012 and was acquired last year by HelpSystems. Its most popular component by nefarious hackers is Beacon, a payload that operates like an attacker, running PowerShell scripts, logging keystrokes, snapping screenshots, stealing files, and dropping other payloads or malware.

HelpSystems declined to comment for this article.

Related Content:

How to Identify Cobalt Strike on Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

New data from Sophos that cataloged attacker behavior, tools, techniques, and procedures (TTPs) witnessed by its threat hunters and incident responders last year and through the first part of 2021 shows that Cobalt Strike is one of the top five tools used by attackers. It's also a key element when attackers employ PowerShell commands to camouflage their activity on a victim's network. Nearly 60% of PowerShell exploits employ Cobalt Strike, and some 12% of attacks use a combination of Cobalt Strike and Microsoft Windows tools PowerShell and PsExec. It's also paired with PsExec in nearly a third of attacks, according to Sophos's new "Active Adversary Playbook 2021" report.

"Cobalt Strike lends itself to being deployed by PowerShell" and PsExec, says John Shier, senior security advisor at Sophos. "The code [Cobalt Strike] was leaked online a long time ago, [attackers] know how to use it, and it's an evasion technology" to remain under the radar as an attack escalates and spreads.

In one of its more high-profile uses by attackers, the Russian GRU hacking team behind the SolarWinds supply-chain attack campaign built custom shellcode loaders that dropped Cobalt Strike payloads: the Teardrop and Raindrop malware components of the attack.

Researchers and incident responders at Intel 471 say the malicious use of Cobalt Strike correlates with ransomware's rise in recent years, but it's also used for dropping other types of malware and for stealing data. Among the malware groups using Cobalt Strike: Trickbot, Hancitor, Qbot, SystemBC, Smokeloader, and Bazar. The researchers today published indicators of compromise that indicate Cobalt Strike is in play with these malware families.

Brandon Hoffman, CISO at Intel 471, says attackers appear to like the features of Cobalt Strike, specifically the Beacon component. "It has so many features built into it from a post-exploit tool perspective; it's a perfect fit for second-stage attack and instead of picking and choosing different pieces of malware, you just trop this tool and all of its features in it," he says.

The tool also contains a "malleable" command and control (C2) function, which allows an attacker to fashion its C2 network to appear like a different threat actor group. "Malleable C2 lets you mimic behavior or make C2 traffic look like almost any legitimate service," he says. So if an organization allows users to stream Pandora, for example, a Malleable C2 could be disguised as Pandora traffic in the victim's network, he says.

"That makes it extremely difficult" to spot an attack, Hoffman says. "Beacon is so customizable."

Even so, there are ways to spot malicious abuse of Cobalt Strike, experts say. Aside from bad guys making mistakes and leaving behind clues or breadcrumbs, you can spot a Cobalt Strike-borne attack unfold if you're monitoring activity: "Because Cobalt Strike is not generally used at the first attack vector, in the middle of an incident response [case] if you see something come in from one of the command-and-control servers it could potentially be Beacon," Hoffman explains. And if you create Yara rules for certain malicious scripts, that can detect it as well.

"Where we saw Cobalt Strike in the wild, some folks had repurposed it for the same malware family," says Hoffman, whose team today published its findings on cybercrime groups deploying Cobalt Strike (including indicators of compromise).

Ransomware Thread

"We've seen a correlation between the rise of Cobalt Strike use [by adversaries] and a rise in ransomware. We're not saying Cobalt Strike is fueling" ransomware, Hoffman says. It's more that ransomware is dropped at the later stages of an attack chain. "Before they get to the ransomware, attackers first have to deploy something like this [Cobalt Strike]." So, spotting that activity before ransomware is installed can save a lot of headache.

Speaking of ransomware, Sophos' IR and threat-hunting data found ransomware in more than 80% of the incidents they investigated. "Ransomware is noisy, it needs to grab attention," which is why those cases were flagged for an investigation, Sophos' Shier says. "[In] a lot of the attacks we stopped, we noticed there had been Cobalt Strike activity" as well, he says.

Researchers at Red Canary also have spotted attackers wielding Cobalt Strike in targeted attacks, including payment card theft and ransomware campaigns. They described incidents where attackers using Bazar malware used Cobalt Strike payloads in advance of their dropping Ryuk ransomware on the victim, all within a two-hour window.

"Cobalt Strike is so common and reliable that adversaries create their own custom tooling to simply deploy the payloads, knowing that they will likely succeed if they can just get the payload past security controls. This capability demonstrates how Cobalt Strike fits into the threat model for nearly any organization," according to Red Canary's report, which includes details on ways to detect malicious Cobalt Strike activity. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file