Hackers, and not only by government APT groups, for a long time loved legitimate commercial framework Cobalt Strike, created for pentester and the red team and focused on exploitation and post-exploitation. For example, ransomware operators also use Cobalt Strike in about 66% of cases.
And although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, hacked and unregistered versions).
Cisco Talos experts say that in the second quarter of this year, the framework was used in 66% of ransomware attacks.
Malicious actors find Cobalt Strike’s obfuscation techniques and robust tools for C2, stealth, and data exfiltration particularly attractive.
Analysts write that the tool is valued by information security specialists and criminals primarily for the ability to deploy listeners on victims’ networks. They are used to monitor how infected hosts interact with C&C servers to receive payloads and further commands from attackers.
In their report, experts write that they analyzed the structure of attacks using the Cobalt Strike framework and developed about 50 signatures for Snort and the ClamAV open source antivirus engine.
I would also like to remind you that the damage from ransomware lies not only in the financial plane – the actions of cybercriminals are deadly. For example, First death due to ransomware attack: German hospital patient dies.
I think you might also be interested in reading about another study: Cisco Talos has published a study on Astaroth malware, which describes how Astaroth hides management servers.