News, news analysis, and commentary on the latest trends in cybersecurity technology.

Google Releases YARA Rules to Disrupt Cobalt Strike Abuse

The popular pen-testing tool is often cracked and repurposed by threat actors. Google now has a plan to address that.

1 Min Read
Pop art surreal photo of incredible lightning strikes in cobalt blue city night sky
Source: jobi_pro via Adobe Stock

Cobalt Strike, a popular red-team tool for detecting software vulnerabilities, has been repurposed by cyberattackers so frequently that publisher Fortra instituted a system for vetting potential buyers. In response, malicious actors have switched to using cracked versions of the software distributed online like any other hacker tool. Google's Cloud Security team has now come up with a way to counteract these shady uses while not interfering with legitimate ones: version detection.

Threat actors have easy access to Cobalt Strike through pirating, but these illegitimate versions usually cannot be updated, wrote Greg Sinclair, security engineer for cloud threat intelligence at Google. That provides Google researchers with a way to spot potentially malicious use by identifying the version of the software being used and flagging anything earlier than the current version.

To identify the version, Google researchers analyzed the Cobalt Strike JAR files from the past 10 years and generated signatures for the various components — 165 in all. Then the team bundled the signatures into a VirusTotal collection and released them as open source YARA rules on GitHub.

"Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe," Sinclair wrote.

Earlier in November, Google Cloud Threat Intelligence released on GitHub a similar set of signatures to detect Sliver, as Bleeping Computer pointed out. The command-and-control framework has been supplanting Cobalt Strike as the repurposed security tool of choice by some threat actors.

About the Author(s)

Karen Spiegelman, Features Editor

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights