Google Decided to Fight Hacked Versions of Cobalt Strike

by Emma Davis
November 23, 2022
Google and Cobalt Strike
Written by Emma Davis

Google Cloud Threat Intelligence announced the release of YARA rules, as well as a collection of indicators of compromise VirusTotal, which should facilitate the detection of Cobalt Strike components and prevent abuse of this pentest tool.

By the way, we wrote that some Hackers Are Switching from Cobalt Strike to Brute Ratel C4.

Let me remind you that Cobalt Strike is a legitimate commercial tool created for pentesters and the red team and focused on exploitation and post-exploitation.

It is probably well known to most readers, but, unfortunately, hackers has long loved Cobalt Strike, ranging from government APT groups to ransomware operators (as we wrote, Ransomware operators use Cobalt Strike in 66% of cases). Although it is not available for ordinary users and the full version is estimated to cost several thousand dollars per installation, attackers still find ways to use it (for example, rely on old, pirated, hacked and unregistered versions).

Google and Cobalt Strike

We are releasing an open source YARA rule set and its integration as a VirusTotal collection to the community to help the community detect and identify Cobalt Strike components and their respective versions. We decided that finding the exact version of Cobalt Strike is an important aspect to determine the legality of its use, as some versions are known to be misused by attackers.wrote Greg Sinclair, Google Cloud Threat Intelligence Security Engineer.

As explained by Google, the hacked and “leaked” variations of Cobalt Strike in most cases are at least one version behind, which allowed the company to collect hundreds of stagers, templates and samples of beacons used by hackers, and on the basis of them create YARA rules.

The experts found Cobalt Strike JARs from version 1.44 (released around 2012) to version 4.7 and then used the components to create YARA rules. According to experts, each version of Cobalt Strike contains from 10 to 100 binaries of attack patterns. They managed to find 34 different versions of Cobalt Strike with 275 unique JAR files. In total, more than 340 binaries were studied, for which detection signatures were created.

Our goal was to make the detection highly accurate so that the exact version of certain Cobalt Strike components can be confidently identified. When this became possible, we created signatures to detect specific versions of Cobalt Strike components.says Google.

According to Sinclair, the idea was to “eliminate the bad versions while leaving the legitimate ones intact”. Google experts write that they want to return the tool to the red team and pentesters, making it more difficult for attackers to use it.

The experts also shared a set of signatures for detecting Sliver, a legitimate open-source platform for emulating the actions of attackers. It is also aimed at pentesters, but attackers often use it as an alternative to Cobalt Strike.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending