Cobalt Strike – A Common Tool in the Arsenal of Cybercriminals
A Report Published by Intel 471 Analysts Shows How the Penetration Testing Tool Is Being Abused by Threat Actors.
Intel 471 researchers explored the abuse of Cobalt Strike, a threat emulation software released in 2012 which can be used to deploy beacons on systems to simulate cyberattacks and test network defenses.
Ever since its 2012 release, Cobalt Strike has been the number one choice for penetration testers to use when simulating how known cybercriminal tools will look when attacking an organization’s network. Unfortunately, hackers also became very fond of it, and Cobalt became a very common second-stage payload for many malware campaigns across many malware families. A few months ago, security analysts from Recorded Future identified Cobalt Strike as the most prolific C2 family.
The cybercrime underground’s adoption of Cobalt Strike correlates with the rise in ransomware activity over the past few years, while also being tied to numerous other types of malware that either lead to ransomware attacks, data exfiltration, or both. Despite all of the cybercriminal activity that can be launched with this pen testing tool, it can be difficult to figure out who is actually controlling a malicious Cobalt Strike team server. Additionally, Cobalt Strike allows users to build “malleable” command and control, which allows for easy modifications of network signatures.
The source code for version 4.0 of Cobalt Strike was presumably leaked online last year and has since been abused by threat actors becoming a go-to tool for APT groups like Carbanak and Cozy Bear.
Intel 471 researchers note that the abuse has been linked to campaigns ranging from ransomware deployment to surveillance and data exfiltration, but as the tool allows users to create malleable C2 architectures, it can be complicated to trace C2 owners.
Nevertheless, an investigation into the use of Cobalt Strike in post-exploitation activities was conducted, showing how the cybercrime underground has repurposed this security tool to its advantage.
Trickbot was chosen as a starting point. Trickbot banking Trojan operators have dropped Cobalt Strike in attacks dating back to 2019, alongside Meterpreter and PowerShell Empire. Over time, Trickbot achieved notoriety with its capacity to adapt and change strategy. Either it was targeting the financial sector (in the beginning), or gaining internet worm abilities, or spoofing trusted brands like Dropbox, or even learning to disable Windows Defender.
Trickbot operators using the “rob” gtag pushed a variety of Cobalt Strike stagers (http, https, x86, x64) through Trickbot’s download-and-execute capabilities (command 43). Each Cobalt Strike variant was fetched from the very same server (http[:]//184.108.40.206) and tried to connect to https[:]//olhnmn.com (http[:]//220.127.116.11) based on the preferred communication protocol.
The Hancitor (Chancitor) group has also begun using Cobalt Strike. Its M.O. is to install password-stealers and is usually distributed through malicious spam campaigns pretending to be DocuSign invoices. Once the recipient clicks on the ‘Sign document’ link, they are automatically downloading a malicious Word document trying to convince them to disable all protections. Once the protections are disabled the malicious macros will download and install the Hancitor downloader.
It’s important to note that Hancitor only drops Cobalt Strike on machines that are connected to a Windows domain. When this condition isn’t met, Hancitor may drop SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information stealer.
The researchers also explore the use of Cobalt Strike by threat actors distributing the Qbot/Qakbot banking Trojan, of which one of the plugins — plugin_cobalt_power3 — enables the pen-testing tool. Qbot malware has evolved to include new delivery mechanisms, command and control (C2) techniques, and anti-analysis features.
Our Qbot tracking has registered attempts to load these CobaltStrike loader binaries. The controller instruction here differs from other families as the CobaltStrike loader is shipped to Qbot bots as a plug-in. The download plug-in directive reveals the internal name given to the plug-in DLL by Qbot developers: plugin_cobalt_power3.
According to the researchers, ransomware operators have also adopted SystemBC, which has dropped Cobalt Strike during the 2020 and 2021 campaigns.
Additionally, in early 2021, Bazar campaigns were recorded as sending and distributing Cobalt Strike rather than typical Bazar loaders used by the threat actors in the past. Although not as sophisticated as Trickbot, the Bazar appears to be in development and could be a new way for the gang to target high-value businesses going forward.